  1. 1. Spam Source Detection at Home (SSD@Home)(SSD@Home) : canaan@anti-botnet.edu.tw @t t th d tcanaan@totoro.cs.nthu.edu.tw 1
  2. 2. Who am I? A programmer (). C/C++, Win32 SDK, Linux Kernel Programming. A CEH. () Anti-Botnet BoT (..) 2 ( )
  3. 3. Anti-Botnet 3
  4. 4. Anti-Botnet 4
  5. 5. Anti-Botnet ()() 5
  6. 6. Anti-Botnet B t t IDS l tBotnet IDS rule set 6
  7. 7. Anti-Botnet Spam Source List Spam Source List. 7
  8. 8. Anti-Botnet () 8
  9. 9. Anti-Botnet Port Scan 9
  10. 10. Anti-Botnet 10
  11. 11. Anti-Botnet Bot-like host distribution. 11
  12. 12. Anti-Botnet 12
  13. 13. Anti-Botnet : http://anti-botnet.edu.tw/ (TANet ) 1313 (TANet )
  14. 14. 1. SPAM 2 2. 3. 4. 5 5. 14
  15. 15. 1. SPAM SPAM ()( ) $ & .. > SPAM 15
  16. 16. 1. SPAM The Matrix () Cl d + M t i ?Cloud + = Matrix ? 16
  17. 17. 1. SPAM Spam Sourcep SPAM ? SPAM ( @ @)( @_@) 17
  18. 18. 2. Botnet Honeypot () 18
  19. 19. 2. Port Scan S port scan log , port scan target port ports g p p 19
  20. 20. 2. Port Scan Target Port Top 20 (2009/09-2009/12)o t Sca a get o t op 0 ( 009/09 009/ ) Web Honeypot. port 25, right? port 25, right? 20
  21. 21. 2. raw data raw data .. 21
  22. 22. 2. .. 25 port 1. 25 port 1. 25 port Nessus 2 Open Rela ?2. Open Relay? ! SMTP Server 22
  23. 23. 2. RFC 821(?) mail server HoneySMTPd 23
  24. 24. 2. SMTP 24
  25. 25. 2. HoneySMTPd 1000 (in C) Trust me, You can make it too 25
  26. 26. 4 pages 4 pages. 26
  27. 27. 2. !? ! !? 27
  28. 28. 3. HoneySMTPd Open Relay () 28
  29. 29. 3. HoneySPTMd 12 yS email address email address 50.43% 50 00% 60.00% 41.01% 30 00% 40.00% 50.00% 8 56% 20.00% 30.00% 8.56% 0.00% 10.00% Hinet Yahoo Others 29
  30. 30. 3. email email ? email google email google 30
  31. 31. 3. SPAM Log List 31
  32. 32. 3. url url 32
  33. 33. 3. HoneySPTMd 78 HoneySPTMd 78 SPAM-bot IP address ( HoneySMTPd ) 33
  34. 34. 3. 34
  35. 35. 3. botnet traffic botnet traffic HoneySMTPd traffic traffic HoneySMTPd 120M SPAM traffic120M SPAM traffic () (.) 35
  36. 36. 36
  37. 37. 37
  38. 38. 3. HoneySMTPd + public IP (port 25) 12 SPAM 78 SPAM bot IP78 SPAM bot IP 120M pure SPAM traffic SETI@home 38
  39. 39. 4. Single Honeypot Cooperative Honey Cloud Honeypot Detection Cloud Detection as a Service (DaaS) Service (DaaS) (IDS rule)rule) 39
  40. 40. 4. 4. Honeypot Log 40
  41. 41. 4. HoneySMTPd Open Source 2010/08 ()( ) Honey Cloud log log Map/Reduce 41
  42. 42. 4. The Anti-Botnet Project of TANet 42
  43. 43. 1. SPAM Source Open Relay S S p y mail server ? 2. (~) 3 HoneySMTPd IP 3. HoneySMTPd IP IP TANet SPAM relay? TANet SPAM relay? 43
  44. 44. 1. Anti-Botnet Project / 2. Botnet 4. HoneySMTPd Open Source 5. HoneySMTPd ()() 44
  45. 45. Thanks for your attention f y Q&A As the host of heaven cannot be numbered, neither the sand of the sea measured. Jer33:22J 45

