收藏
下载资源

异常SMTP讯务与EmailSpam的自动通告课件

上传人:cl****1 文档编号:567665860 上传时间:2024-07-22 格式:PPT 页数:52 大小:657.50KB
返回 下载 相关 举报
异常SMTP讯务与EmailSpam的自动通告课件_第1页
第1页 / 共52页
异常SMTP讯务与EmailSpam的自动通告课件_第2页
第2页 / 共52页
异常SMTP讯务与EmailSpam的自动通告课件_第3页
第3页 / 共52页
异常SMTP讯务与EmailSpam的自动通告课件_第4页
第4页 / 共52页
异常SMTP讯务与EmailSpam的自动通告课件_第5页
第5页 / 共52页
点击查看更多>>
资源描述

《异常SMTP讯务与EmailSpam的自动通告课件》由会员分享,可在线阅读,更多相关《异常SMTP讯务与EmailSpam的自动通告课件(52页珍藏版)》请在金锄头文库上搜索。

1、异常SMTP讯务与EmailSpam的自动通告课件Stillwatersrundeep.流静水深流静水深,人静心深人静心深Wherethereislife,thereishope。有生命必有希望。有生命必有希望大 綱1.研究動機2.異常SMTP訊務的監測3.Spam與異常SMTP訊務的相關 4.Spam 事件的自動通告5.結論21.研究動機加速 Email Spam 通告 IP 管理資訊查詢區網 Routing Table RWhois查詢服務Spam event 的自動通告異常SMTP訊務的監測Flow count 超量Packet Density分析超量SMTP傳訊主機與通告spam re

2、lay/sender 的相關32.SMTP與 Spam傳訊SMTP 傳輸Client詢問DNS MX list,建立信件delivery route紀錄sender與receiver間的多個mail relay/server將 reverse-path加入mail header與SMTP relay建立雙向連接,沿SMTP route傳送信件relay收進信件後與下一relay 建立連接/轉送信件.最後的deliver relay將信件分送到用戶mailbox. 4SpamUCE (Unsolicited Commercial Mail) spammer利用自動搜尋程式持續尋找 newsgro

3、up (BBS boards)Join mailing list網頁的mail addresses所侵入系統的mail accountRegular sequence mail account重複/密集寄送廣告信件 5Spammer以最低的成本,透過全球網路傳送超大量廣告信Internet用戶花費可觀的連線費用,時間與精力下載/收取/刪除大量spam.ISP耗費更龐大的網路與系統資源重複傳送junk mails影響mail的正常收送 6為避免回覆大量的spam complainSpammer藉由自動搜尋程式尋找未設防的SMTP server 作為spam relay/sender傳送廣告信件往

4、蒐集的newsgroup/mailing list及mail accountsGuess Receipts甚至透過mail夾檔散播病蟲或攻擊程式侵入網路主機.集結更大量的感染主機寄發/轉送更大量的spam. 7減緩Spam倍數成長的主要途徑(1)回報/檢舉Spam event減少一個 spam relay/sender減少millions of spam(2)監測可能的spammer主機及訊務SMTP訊務量測篩選異常訊務量8回報/檢舉Spam event連網中心建立abuse Email帳號abusedomain, spamdomain, securitydomain接受所轄IP主機的Spam

5、/ Junk通告信. 網路用戶依據spam route,萃取發送主機與relay servers“Received:”, “From:” 紀錄項回應給發信主機與relay server擁有者Report給spam report siteEX: 9偵測可能的spammer主機及訊務依據Spam 傳訊特徵,實作異常SMTP訊務的統計High frequentlyObviously high SMTP connection countRepeatedly last for several hours協助管理者監測異常的mail訊務據以Check /var/log/maillog據以Check use

6、r mailbox 預先發現感染主機, 通告用戶修補漏洞10通告的Email Spam (2003年 7月至 11月)桃園區網每月處理的Spam mail通告主機總數.主要的abuse通告信件S 通報廣告郵件的 relay server/sendermyNetWatch 通報CodeRed/Nimda感染主機(80/TCP)SYN Flooding (445/TCP, 17300/TCP, ) 環球或派拉蒙製片通告侵犯智財權的eDonkey主機及其影片檔存放 Others 11Table 1 通告的區網Abuse主機數分布 Spam Hosts SYN FloodingInfringerHos

7、tsJul 5186Aug 15225Sep 2009Oct1136Nov7112123異常SMTP訊務的監測異常SMTP訊務的監測Spam傳訊特徵FrequentlyObviously high frequency of SMTP connectionsRepeatedlyLast for Many hours (Mean Packet Size)Little than 100 Bytes per PacktMore than 100 Bytes per packet13Transportation Traffic Logs all network operators depend on t

8、he quantifiable traffic log data to evaluate the network performanceTCPDUMPNetFlow, sFlowOthers 14Tcpdumpa raw packet capture program.Gather the layer 4 transportation traffic logs throughThe dump transport traffic logs involved the detail fields of each IP packet headersource/destination IP address

9、es, source/destination application ports,protocol identity,number of packets, number of bytes, TCP operators15Netflow router 轉送訊務紀錄Flow-based layer 4 transport traffic logSource & destination IP addressSource & destination application port Source & destination interface#protocol identifierpacket cou

10、ntbyte count16利用Netflow log統計區網的異常SMTP訊務Accumulate SMTP serv_flow connection counts statisticsNetflowlog gathered from router of aggregate networkThreshold_100_flowLess than 100 connections: 99.72 %More than 100 connections: 0.28 %Threshold_30_flowLess than 30 connections: 98.61 %17Table 2. 區網的SMTP

11、Flows 特徵項分布Smtp_flowcountFlow #/RatioByte Ratio1 10136003 (94.78 %)73.1 %11 30 5502 (3.83 %)12.5 %31 70 1370 (0.95 %)8.1 %71 100 231 (0.16 %)1.1 %101 200 226 (0.16 %)1.2 %201 1000145 (0.10 %)1.8 % 100015 (0.01 %)2.2 %18SMTP訊務的統計/監測Monitor Abnormal SMTP Traffic of smtp_flowiCombine Several NetFlow fe

12、atures SMTP service port & Src_IP & Dst_IPsrc_IPdst_IP.(25)src_IP.(25)dst_IP19統計/ 監測異常的 SMTP 訊務累計SMTP 訊務變量透過 IP protocol_id & application port的比對,累計 flowsmtp_flowipktsmtp_flowibytesmtp_flowi排序/篩選超量的syn_flows訊務Monitoring SMTP TrafficPHP + Apache20212223Nov320:25:58smtp3sendmail7645:ID801593mail.infoh

13、A3CPot1007645:from=,size=64607,class=0,nrcpts=1,msgid=,proto=SMTP,daemon=MTA,relay=163.25.154.253Nov320:25:58smtp3sendmail7645:ID801593mail.infohA3CPot1007645:to=,delay=00:00:06,mailer=relay,pri=30258,stat=queuedNov320:26:45smtp3mailscanner3948:Virus W32/Yaha-Pfoundinfile./hA3CPot1007645/disney.zip/

14、DOCUME1DennisLOCALS1Tempsetup.exeNov320:26:51smtp3sendmail7958:ID801593mail.infohA3CPot1007645:to=,delay=00:00:59,xdelay=00:00:00,mailer=relay,pri=120258,relay=140.115.17.89140.115.17.89,dsn=2.0.0,stat=Sent(hA3CP8k1016181Messageacceptedfordelivery)Nov320:27:00smtp3mailscanner3948:Virus W32/Yaha-Pfou

15、ndinfile./hA3CPot1007645/disney.zip/DOCUME1DennisLOCALS1Tempsetup.exe242526syslog:Oct2608:24:25smtp3sendmail13433:ID801593mail.infoh9Q0ON2a013433:from=,size=6998,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.81(maybeforged)syslog:Oct2608:24:25smtp3sendmail13425:ID801593mail.infoh9Q0ON

16、2a013425:from=,size=6994,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.85(maybeforged)syslog:Oct2608:24:25smtp3sendmail13435:ID801593mail.infoh9Q0ON2a013435:from=,size=6971,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.81(maybeforged)syslog:Oct2608:24:25smtp3sendmail134

17、32:ID801593mail.infoh9Q0ON2a013432:from=,size=6995,class=0,nrcpts=1,sgid=,proto=SMTP,daemon=MTA,relay=216.22.24.84(maybeforged)syslog:Oct2608:24:25smtp3sendmail13434:ID801593mail.infoh9Q0ON2a013434:from=,size=6965,class=0,nrcpts=1,27Mail Relay Testingmrtftp:/ v test.patterns test.message host_ip_add

18、2829ann#./mrt -v ./test.patterns ./test.message 163.25.121.245mrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnec

19、ting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245

20、:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:163.25.121.245:Errorconnecting:Connectionrefusedmrt:16

21、3.25.121.245:Errorconnecting:Connectionrefused30ann#./mrt -v ./test.patterns ./test.message 163.25.70.1mrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:SMTPerror(553)readingMAILresponsemrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messagea

22、cceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.

23、1:Messageacceptedmrt:163.25.70.1:Messageacceptedmrt:163.25.70.1:SMTPerror(553)readingMAILresponse31ann#./mrt -v ./test.patterns ./test.message 140.115.17.128mrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readin

24、gRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(553)readingRCPTresponsemrt:140.115.17.128:SMTPerro

25、r(553)readingRCPTresponsemrt:140.115.17.128:SMTPerror(553)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.

26、128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponsemrt:140.115.17.128:SMTPerror(550)readingRCPTresponse32數據分析More than 70 % 通告spam relay/sender可由統計的異常SMTP主機佇列中篩選得異常SMTP/SYN Flooding訊務監測發現Spam & 網路侵擾訊務33Table 2 區網Abuse host分布(2003年)Spamming Host#Hits the Radical

27、SMTP SendersAug-200316 12 of 1674 %Sep-2003 22 15 of 2273 %Oct-200386 of 875 %Nov-200387 of 888 %Dec-200397 of 978 %Jan-20041212 of 12100 %344 Spam 事件的自動通告 Spam/攻擊訊務通告事件倍數成長的spam 通告超量的異常 SMTP Traffic 網路管理者非常依賴IP管理資訊查詢系統通告感染主機用戶與管理者,修補系統自動阻斷攻擊訊務,防堵攻擊訊務的持續擴散35spam mail的自動通告系統自動Query IP管理資訊,Email通告藉由SN

28、MP pulling router ipRoute MIB, 快速萃取連網的龐大 routing資訊建立IP管理資訊查詢服務依據 NextHop integrate The extracted Routing Table連線單位通訊資訊檔RWhois IP管理資料庫 36ipRoute SNMP MIB儲存連網單位的routing 資訊Network address NetMask辨識號 .1.3.6.1.4.21.2.1.11NextHop 辨識號 .1.3.6.1.4.21.2.1.7Mansfield G. 曾藉由ipRoute MIB重複搜尋各層routers ipRoute MIB

29、自動構建區域網路拓樸 37重複萃取網段IP位址與對應的NetMask/ NextHop位址分別以IP網段位址index,儲存NetMask ListNextHop List. 結合NetMask ,NextHop 與Segment佇列快速重建龐大的區網ip_routing 紀錄存檔38ipRouteMask OIDip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.40.0=IpAddress:255.255.252.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.44.0=IpAddress:2

30、55.255.255.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.45.0=IpAddress:255.255.255.0ip.ipRouteTable.ipRouteEntry.ipRouteMask.192.192.46.0=IpAddress:255.255.255.0ipRouteNextHop OID ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.40.0 = IpAddress: 203.71.2.72ip.ipRouteTable.ipRouteEntry.ipRou

31、teNextHop.192.192.44.0 = IpAddress: 192.83.175.111ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.45.0 = IpAddress: 192.83.175.116ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.192.192.46.0 = IpAddress: 192.83.175.11139NextHop Dest. Netmask Seg=203.72.244.226,140.115.0.0,255.255.0.0,256203.71.2.5,1

32、40.132.0.0,255.255.0.0,256203.71.2.61,140.135.0.0,255.255.0.0,256203.71.2.237, 140.138.0.0,255.255.0.0,256203.71.2.209,192.192.40.0,255.255.252.0,4203.71.2.209,203.68.52.0,255.255.252.0,440IP邏輯位址不包含任何管理資訊Router藉由routing table的查詢依據 NextHop 紀錄 switch packetSwitch 往正確的 routing interface41RWhois分享軟體利用Ma

33、rk KostersDataBase (MKDB) 支援資料的管理與查詢.資料庫查詢伺服程式rwhoisd資料庫建置程式rwhoisd_indexer42RWhois Server藉由IP管理資料庫伺服系統的建置,作為自動通告Spam 的基礎.讀取routing紀錄,依據Nexthop 紀錄比對/萃取對應的管理聯絡資訊檔構建RWhois network schema關聯紀錄檔建立資料庫indexing, 提供管理資訊 query網頁.43選取的Network schema特徵IP-Network(網段位址)Admin-Contact (管理人員)Address(街道地址)Tel(聯絡電話)Up

34、dated-By(資料建立者)Updated (資料建立日期444546 Sendmail最普遍使用的電子郵件傳送程式Mail server 藉由sendmail daemon 接受 mail client連接要求輾轉發送mail到 destination mail server接收送達的user mail,並轉存到user mail-box 存成 /var/mail/user_name檔.47自動化的Spam通告程序讀取 /var/mail/abuse buffer 檔依據“From “ 萃取各單封的mail存檔.parsing信件內容,萃取攻擊IP位址.自動連線RWhois server,

35、查詢IP管理資訊.依據IP管理資訊, 將萃取的信件內容檔轉送給管理員/用戶mail 4849 攻擊訊務的自動阻絕與通告 周期地篩選超量攻擊訊務, 萃取攻擊主機IP依據主機IP,自動連線RWhois server,查詢管理資訊.依據管理資訊,遠端設定區網 router限制攻擊主機傳訊,防止超量攻擊訊務的擴散連接RWhois 查詢伺服主機,查詢管理資訊自動發信通知管理人員/用戶協助修補感染的系統,排除攻擊訊務起源. 505.結語異常 SMTP/www DoS訊務的統計檢測感染主機及Spam senders主動遏止SMTP干擾訊務. Spam/攻擊事件自動通告機制提升spam的通告效率減輕網路管理者處理大量抱怨信的負荷51教育網路用戶提升 mail server被冒用的警覺性加強異常網路訊務的監測PING Storm, SYN Flooding, Spam relay分享網路攻擊模式與防堵經驗52

展开阅读全文
相关资源
正为您匹配相似的精品文档
相关搜索

最新文档


当前位置:首页 > 建筑/环境 > 施工组织

电脑版 |金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号