Tag Archives: Team Cymru

Recompute Fall 2013 on SpamRankings.net

Glitches happen, and this one illustrates how rankings with big differences in spam volume are robust anyway.

A format change in an ancillary data source detected through consistency checks caused recomputations in selected rankings for September, October, and November 2013 in Classic.Classic.SpamRankings.net (Cloud.Cloud.SpamRankings.net was unaffected). The old versions are preserved as v1 rankings, and the differences are visible for these overall rankings:

GeographySep 2013Oct 2013Nov 2013
CBLPSBL CBLPSBL CBLPSBL
World World CBL** PSBL PSBL* PSBL**
BE BE CBL PSBL PSBL PSBL
CA CA CBL PSBL PSBL PSBL
TR TR CBL PSBL CBL PSBL PSBL
USUS CBL* PSBL PSBL PSBL
Countries Countries CBL PSBL CBL PSBL CBL PSBL
Medical
World World CBL** PSBL
US US PSBL
Countries Countries CBL* PSBL*
* Completely unchanged in rank order
** Unchanged except for dropout final rank

So the most noticeable rankings, for World, were Continue reading

FireEye’s Ozdok Botnet Takedown Observed

FireEye coordinated a takedown of botnet Ozdok or MegaD, on 5-6 Nov 2009, with cooperation by many ISPs and DNS registrars.

Good show! What effects did it have on spam? Not just spam from this botnet; spam in general.

Botnets and spam volume

This graph was presented at NANOG 48, Austin, TX, 24 Feb 2010, in FireEye’s Ozdok Botnet Takedown In Spam Blocklists and Volume Observed by IIAR Project, CREC, UT Austin. John S. Quarterman, Quarterman Creations, Prof. Andrew Whinston, PI CREC, UT Austin. That was a snapshot of an ongoing project, Incentives, Insurance and Audited Reputation: An Economic Approach to Controlling Spam (IIAR).

That presentation was enough to demonstrate the main point: takedowns are good, but we need a lot more of them and a lot more coordinated if we are to make a real dent in spam.

The IIAR project will keep drilling down in the data and building up models. One goal is to build a reputation system to show how effective takedowns and other anti-spam measures are, on which ASNs.

Thanks especially to CBL and to Team Cymru for very useful data, and to FireEye for a successful takedown.

We’re all ears for further takedowns to examine.

-jsq

Community Flow-spec Project

A lightning talk at NANOG 48, Austin, Texas, 22 Feb 2010, by John Kristoff, Team Cymru. See RFC 5575.

Update: PDF of presentation slides here.

+--------+--------------------+--------------------------+
| type   | extended community | encoding                 |
+--------+--------------------+--------------------------+
| 0x8006 | traffic-rate       | 2-byte as#, 4-byte float |
| 0x8007 | traffic-action     | bitmask                  |
| 0x8008 | redirect           | 6-byte Route Target      |
| 0x8009 | traffic-marking    | DSCP value               |
+--------+--------------------+--------------------------+

A few selected points:

  • Dissemination of Flow Specification Rules
  • Think of filters(ACLs) distributed via BGP
  • BGP possibly not the right mechanism
  • Multi-hop real-time black hole on steroids
  • Abuse Handler + Peering Coordinator
    = Abeering Coordinator?
  • Traditional bogon feed as source prefix flow routes
  • A la carte feeds (troublesome IP multicast groups, etc.)
  • AS path prepend++
  • Feed-specific community + no-export
He showed some examples of specs for flows (I can’t type fast enough to transcribe those).

Trust issues for routes defined by victim networks.

Research prototype is set up. For questions, comments, setup, contact: http://www.cymru.com/jtk/

I like it as an example of collective action against the bad guys. How to deal with the trust issues seems the biggest item to me.

Hm, at least to the participating community, this is a reputation system.