Abstract
This paper studies the AS-level re-wiring dynamics (changes in the connectivity) of malicious networks. Anecdotal evidence suggests that some malicious ASes that are primarily involved in nefarious activities on the Internet, were sequentially de-peered by providers before their final cut-off (as occurred in the well-publicized cases of Atrivo/Intercage). We present the first systematic study of the re-wiring dynamics of malicious ASes. We tracked the ASes that were listed by Hostexploit over the last two years and compared their AS-level re-wiring dynamics with non-reported ASes. Using a publicly available dataset of Customer-Provider (CP) relations in the Internet’s AS graph, we studied how interconnection between autonomous systems evolves, both for ASes that provide connectivity for attackers and ASes that were not reported as malicious. We find that malicious networks are more aggressive both in forming links with providers and changing their upstream connectivity than other ASes. Our results indicate that the re-wiring dynamics of the networks that host attacks are stable over time, despite the evolving nature of the attacks themselves, which suggests that existing defense mechanisms could benefit from incorporating these features.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing Internet scam hosting infrastructure. In: 14th Conference on USENIX Security Symposium (2007)
Chiang, K., Lloyd, L.: A case study of the Rustock rootkit and spam bot. In: The First Workshop in Understanding Botnets (2007)
Dhamdhere, A., Dovrolis, C.: Ten Years in the Evolution of the Internet Ecosystem. In: Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, IMC (2008)
Feamster, N.: Open problems in BGP anomaly detection. In: CAIDA Workshop on Internet Signal Processing (2004)
Feamster, N., Jung, J., Balakrishnan, H.: An Empirical Study of Bogon Route Advertisements. ACM Computer Communications Review (2004)
Fetterly, D., Manasse, M., Najork, M., Wiener, J.L.: A large-scale study of the evolution of web pages. Softw. Pract. Exper. (2004)
Li, F., Hsieh, M.H.: An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In: CEAS 2006: Proceedings of the 3rd Conference on Email and Anti-Spam (2006)
Gao, L.: On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Transactions on Networking (2001)
Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: The 13th Conference on USENIX Security Symposium (2004)
Kreibich, C., Crowcroft, J.: Honeycomb: Creating intrusion detection signatures using honeypots. In: 2nd Workshop on Hot Topics in Networks, HotNets-II (2003)
Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worm with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (2005)
Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proceedings of SIGCOMM (2006)
Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (2004)
Spammer-X. Inside the Spam Cartel. Syngress (2004)
Todd, J.: AS number inconsistencies (2002), http://www.merit.edu/mail.archives/nanog/2002-07/msg00259.html
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses?. In: ACM SIGCOMM (2007)
Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G.: Spamming botnets: signatures and characteristics. In: SIGCOMM (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Konte, M., Feamster, N. (2012). Re-wiring Activity of Malicious Networks. In: Taft, N., Ricciato, F. (eds) Passive and Active Measurement. PAM 2012. Lecture Notes in Computer Science, vol 7192. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28537-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-28537-0_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28536-3
Online ISBN: 978-3-642-28537-0
eBook Packages: Computer ScienceComputer Science (R0)