Andrew J. Kalafut

A study of malware in peer-to-peer networks

Peer-to-peer (P2P) networks continue to be popular means of trading content. However, very little protection is in place to make sure that the files exchanged in these networks are not malicious, making them an ideal medium for spreading malware. We instrument two different open source P2P networks, Limewire and OpenFT, to examine the prevalence of malware in P2P networks. Our results from over a month of data show that 68% of all downloadable responses in Limewire containing archives and executables contain malware. The corresponding number for OpenFT is 3%. Also, most infections are from a very small number of distinct malware. In particular, in Limewire, the top three most prevalent malware account for 99% of all the malicious responses. The corresponding number for OpenFT is 75%. We also investigate the sources of malicious responses. To our surprise, 28% of all malicious responses in Limewire come from private address ranges. In OpenFT, the top virus, which accounts of 67% of all the malicious responses, is served by a single host. Further, our study provides a useful insight into filtering malware: filtering downloads based on the most commonly seen sizes of the most popular malware could block a large portion of malicious files with a very low rate of false positives. While current Limewire mechanisms detect only about 6% of malware containing responses, our size based filtering would detect over 99% of them.

Understanding implications of DNS zone provisioning

DNS is a critical component of the Internet. This paper takes a comprehensive look at the provisioning of Internet domains and its impact on the availability of various services. To gather data, we sweep 60% of the Internets domains for zone transfers. 6.6% of them allow us to transfer their complete information. We find that carelessness in handling DNS records can lead to reduced availability of name servers, email, and Web servers. It also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections.

Abnormally malicious autonomous systems and their internet connectivity

While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) depeerings and network shutdowns. In this paper, we explore whether some ASs indeed are safe havens for malicious activity. We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with significant malicious activity. We also find that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.

Phishing Infrastructure Fluxes All the Way

Fast flux aims to keep phishing and scam campaigns afloat by provisioning a fraudulent Web sites domain name system records to make the site resolve to numerous, short-lived IP addresses. Although fast flux hurts takedown efforts, its possible to detect and defend against it.

Malicious Hubs: Detecting Abnormally Malicious Autonomous Systems

While many attacks are distributed across botnets, investigators and network operators have recently targeted malicious networks through high profile autonomous system (AS) de-peerings and network shut-downs. In this paper, we explore whether some ASes indeed are safe havens for malicious activity. We look for ISPs and ASes that exhibit disproportionately high malicious behavior using 12 popular blacklists. We find that some ASes have over 80\% of their routable IP address space blacklisted and others account for large fractions of blacklisted IPs. Overall, we conclude that examining malicious activity at the AS granularity can unearth networks with lax security or those that harbor cybercrime.

On building inexpensive network capabilities

There are many deployed approaches for blocking unwanted traffic, either once it reaches the recipients network, or closer to its point of origin. One of these schemes is based on the notion of traffic carrying capabilities that grant access to a network and/or end host. However, leveraging capabilities results in added complexity and additional steps in the communication process: Before communication starts a remote host must be vetted and given a capability to use in the subsequent communication. In this paper, we propose a lightweight mechanism that turns the answers provided by DNS name resolution - which Internet communication broadly depends on anyway - into capabilities. While not achieving an ideal capability system, we show the mechanism can be built from commodity technology and is therefore a pragmatic way to gain some of the key benefits of capabilities without requiring new infrastructure.

The web is smaller than it seems

The Web has grown beyond anybodys imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting.

Resolvers Revealed: Characterizing DNS Resolvers and their Clients

The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.

Characterizing Optimal DNS Amplification Attacks and Effective Mitigation

Attackers have used DNS amplification in over 34 % of high-volume DDoS attacks, with some floods exceeding 300 Gbps. The best current practices do not help victims during an attack; they are preventative measures that third-party organizations must employ in advance. Unfortunately, there are no incentives for these third parties to follow the recommendations. While practitioners have focused on reducing the number of open DNS resolvers, these efforts do not address the threat posed by authoritative DNS servers.

Touring DNS open houses for trends and configurations

The Domain Name System (DNS) is a critical component of the Internet. It maps domain names to IP addresses and serves as a distributed database for various other applications, including mail, Web, and spam filtering. This paper examines DNS zones in the Internet for diversity, adoption rates of new technologies, and prevalence of configuration issues. To gather data, we sweep 60% of the Internets domains in June-August 2007 for zone transfers. Of them, 6.6% allow us to transfer their complete information. Surprisingly, this includes a large fraction of the domains deploying DNS security extensions (DNSSEC). We find that DNS zones vary significantly in size and some span many autonomous systems. Also, while anti-spam technologies appear to be getting deployed, the adoption rates of DNSSEC and IPv6 continue to be low. Finally, we also find that carelessness in handing DNS records can lead to reduced availability of name servers, e-mail, and Web servers. This also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections.