easy. The purpose of this study is to estimate the group size of Fast-Flux Service Network FFSN.. Uses Joint hypergeometric maximum likelihood estimat

第十六卷第一期 2014 年 3 月 (pp.1~16) a b,* a b FFSN agent FFSN FFSN FFSN-Agent Flux-Agent Bot FFSN Fast-Flux Service Network FFSN Capture-Recapture Method CRM Joint hypergeometric maximum likelihood estimator JHE Flux-Agent Estimating Population Size of Fast-Flux Domain - Using Joint Hypergeometric Maximum Likelihood Estimator Method Tung-Ming Koo a Hung-Chang Chang b a Department of Information Management, National Yunlin University of Science and Technology b Graduate Institute of Information Management, National Yunlin University of Science and Technology Abstract FFSN is one of the enormous threats of internet. It can hide the attackers behind a group of agents and by this way the attackers can avoid being detected. The benefit of FFSN to attackers is the malicious websites can be protected and the survival time can be prolonged. The danger of FFSN is getting more serious and Flux-Agent could be a Bot note. To estimate the size of FFSN can find the danger degree but to estimate the size is not * 通訊作者電子郵件 :g9823811@yuntech.edu.tw DOI: 10.6188/JEB.2014.16(1).01 March 2014 1

easy. The purpose of this study is to estimate the group size of Fast-Flux Service Network FFSN.. Uses Joint hypergeometric maximum likelihood estimator JHE of Capture- Recapture Method CRM to estimate the group size of Flux-Agent. By computing the joint hypergeometric maximum likelihood estimator JHE of Program NOREMARK, the group size can be found. The experiment result can find the group size more quickly than census. Keywords: Capture-Recapture, Fast-Flux Service Networks, Size Estimation 1. National Crime Squad High Tech Crime Team 2010 Bredolab Botnet Botnet Parket, 2012 Fast-Flux Service Networks FFSN FFSN DNS FFSN Round Robin DNS RR-DNS 2003 DNS agent Google Yahoo Fast-Flux Fast-Flux phishing 2009 FFSN IP ATLAS http://atlas.arbor.net/summary/fastflux Malware Domain List http://www.malwaredomainlist.com/ 2 March 2014

Capture-Recapture Method CRM Joint hypergeometric maximum likelihood estimator JHE Flux-Agent 2 3 FFSN JHE 4 5 2. 2.1 Round Robin DNS(RR-DNS) RR-DNS IP Client DNS IP Client 2003 RR-DNS (1) DNS RR-DNS (2) DNS (3) Client 2.2 Botnet Bot IRC Channel Bot IRC Channel Scharrenberg, 2008 1999 IRC Bot SubSeven V2.1 Bot Bächer et al., 2007 Botnet Botnet Botmaster Botmaster Bot Bot Saha and Gairola, 2005 Botnet March 2014 3

DDoS Botmaster Botnet Spammer 50,000 100,000 Botnet Click fraud Daswani and Stoppelman, 2007 2.3 Fast-Flux Service Network(FFSN) FFSN agent FFSN DNS Botnet Honeynet Project Project, 2007 FFSN fully qualified domain name, FQDN IP IP Round-Robin Time-To- Live, TTL IP FFSN FFSN agent TTL Client DNS HTTP MotherShip MotherShip 1 Honeynet Project Project, 2007 FFSN single-flux double-flux FFSN 2.3.1 Single-Flux Service Networks 2 eventdraw.com Fast-Flux domain (1) DNS server eventdraw.com (2) DNS server Fast-Flux DNS server 4 March 2014

1 Holz et al., 2008 2 single-flux Scharrenberg, 2008 (3) Fast-Flux DNS server eventdraw.com IP (4) DNS server IP (5) IP FF Agent March 2014 5

(6) FF Agent Mothership Web server (7) Mothership Web server FF Agent (8) FF Agent Mothership agents Mothership DNS server FFSN single-flux networks 2.3.2 Double-Flux Service Networks 如圖 3 為 double-flux networks 的範例 跟 single-flux 不同的是 name server, 是連結到其中一個 agent, 而不是連結至 Fast-Flux name server, 再經由 agent 轉送請求到 Fast-Flux name server, 之後回傳給請求的 name server, 這樣一來就無法確認 Fast- Flux name server 的 IP 位址 Honeynet Project Project, 2007 FFSN (1) single-flux networks DNS agent A Record 3 10 (2) FFSN agent 3 double-flux Scharrenberg, 2008 6 March 2014

(3) double-flux networks round-robin A Record IP double-flux domain NS record 2007 FFSN fast-flux command and control C&C HTTP protocol 2012 Persisci FFSN FFSN FFSN Persisci et al., 2012 2.4 重複捕取法 Capture-Recapture Method CRM 2006 closed Lincoln-Petersen open Jolly-Seber Jolly, 1965 2006 2005 Mane P2P Capture-Recapture Method CRM P2P Capture-Recapture Method P2P Mane et al., 2005 2007 Weaver Collins Netcraft Castlecops netblocks Weaver and Collins, 2007 2008 100000 P2P 2008 2008 Holz March 2014 7

Fast-Flux Domain Flux-Agent Holz et al., 2008 2012 P2P Botnet P2P Botnet Botnet peer list P2P Botnet P2P Botnet Koo et al., 2012 2.5 族群估計 Lincoln-Petersen Lincoln-Petersen Program CAPTURE ; Jolly Seber Program SURGE Program POPAN Program NOREMARK Program MARK ProgramCARE-2 2006 Program NOREMARK Krebs, 1999 Program NOREMARK Program NOREMARK Joint hypergeometric maximum likelihood estimator JHE Immigration-emigration Minta and Mangel estimator Bowden's estimator Joint hypergeometric maximum likelihood estimator Minta and Mangel estimator Bowden's estimator Immigration-emigration Joint hypergeometric maximum likelihood estimator JHE Lincoln-Petersen i 2 2006 3. FFSN agent FFSN FFSN 8 March 2014

Joint hypergeometric maximum likelihood estimator JHE FFSN FFSN 4 FFSN A Record JHE 4 FFSN JHE (1) 一般在 DNS ZONE TTL 預設在 86400S 1 天, 在研究前期實驗中發現最大族群族 TTL 10S 數量為 3266, 所需耗費時間為 32660 秒, 表示在 DNS CACHE 更新前能將所有族群數量 QUERY 出來 (2) FFSN agent 在一個區段時間內其大小不會有任何變動 (3) 因為 FFSN 是使用 RR-DNS 技術來運作, 因此在 dig 網域名稱時其所被捕獲的 A Record 機率是相等的 (4) 因為規模估計 FFSN 皆是透過實驗系統自動記錄, 並儲存至資料庫記錄, 所以並不會有脫落或誤判的情形發生 FFSN JHE FFSN Fast-Flux Domain DNS query A Record query Fast-Flux Agent Fast-Flux March 2014 9

Domain Agent A Record DNS query TTL Time To Live TTL TTL Unit JHE T i m i n i (1) T i i (2) m i i i (3) n i i JHE i m i T i N Ti mi ni mi P r ( mi N Ti ni), i 1 k (1) N n N joint likelihood function i T i N Ti k mi ni mi L( N Ti n i mi ), i 1 k (2) i 1 N n maximum likelihood estimator, MLE JHE Closed Population Model Estimation 1 1 Chapman 1951 N N i ( n 1)( 1) i Ti N 1, i 1 k (3) m 1 i 4. 4.1 資料來源 Fast-Flux Domain FFSN ATLAS - Arbor Networks http://atlas.arbor.net/summary/fastflux Malware Domain List www.malwaredomainlist.com 10 March 2014

2010/05 2012/08 Domain 1340 DNS query 4525237 4.2 系統環境 IP FFSN Domain Agent A Record A Record A Record Google DNS Server IP:8.8.8.8 4.3 實證資料 JHE a 0.05 95% TTL *10 *400 10 JHE Fast-Flux Domain a 0.05 TTL 5 5 JHE IP TTL Unit (1) IP 2766 3266 200 TTL Units TTL 10s 2000 Agent (2) IP 1402 2525 130 TTL Units TTL 10s 1300 Agent March 2014 11

(3) IP 409 813 TTL *50 *370 TTL Units TTL 300s 3600s TTL Agent erosocialka.ru 6 TTL 200 JHE 2.040221% -2.349344% 200 TTL Units JHE erosocialka.ru erosocialka.ru 4525237 DNS query 1340 Domain GEPHI Layout 7 4.5 結果討論 FFSN JHE TTL Fast-flux Domain (1) IP 2766 3266 200 TTL Units TTL 10s 2000 Agent 12 March 2014

FFSN (2) IP 1402 2525 130 TTL Units TTL 10s 1300 Agent (3) IP 409 813 TTL *50 *370 TTL Units TTL 300s 3600s TTL Agent TTL FFSN Fast-Flux Domain A Record IP 122.194.5.110 dartzofmybpull.ru shokoladdeath.ru 7 A Record Botnet 5. Fast-Flux Service Network FFSN FFSN March 2014 13

FFSN FFSN BOT FFSN 5.1 結論 (1) JHE FFSN TTL FFSN Fast-Flux Domain 14 FFSN (2) A Record botnet (3) FFSN 409 3266 (4) Domain Agent IP IP LIST Domain IP LIST ISP 5.2 未來研究方向 TTL FFSN 8 25 TTL 200 FFSN TTL 500 2006 2006 2006 2008 P2P 44 6 99-101 14 March 2014

25 FFSN 2009 DNS -Fast-Flux 66 74-78 2003 RR-DNS 2003 Bächer, P., Holz, T., Kötter, M., & Wicherski, G. (2008). Know your enemy: Tracking botnets. Retrieved October 29, 2009, from http://www.honeynet.org/papers/bots/ Daswani, N., & Stoppelman, M. (2007). The anatomy of Clickbot A. Proceedings of USENIX HotBots 07, Cambridge, USA. Holz, T., Gorecki, C., Rieck, K., & Freiling, F. C. (2008). Measuring and detecting fast-flux service networks. NDSS Symposium 2008, San Diego, USA. Jolly, G. M. (1965). Explicit estimates from capture-recapture data with both death and immigration-stochastic model. Biometrika, 52 (1/2), 225-247. Krebs, C. J. (1999). Ecological methodology (2nd ed.). USA: Benjamin Cummings. Koo, T. M., Chang, H. C., & Liao, W. C. (2012). Estimating the size of P2P botnets. International Journal of Advancements in Computing Technology, 4 (12), 386-395. Mane, S., Mopuru, S., Mehra, K., & Srivastava, J. (2005). Network size estimation in a peer-to-peer network (TR 05-030). MN, USA: Department of Computer Science and Engineering, University of Minnesota. March 2014 15

Parket, L. (2010). Dutch national crime squad announces takedown of dangerous botnet. Retrieved January. 27, 2014, from http://www.om.nl/actueel/nieuws-_en/@154338/ dutch_national_crime/ Persisci, R., Corona, I., & Giacinto, G. (2012). Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Transactions on Dependable and Secure Computing, 9 (5), 714-726. Salusky, W., & Danford, R. (2007). Know your enemy: Fast-flux service networks. Retrieved October 29, 2009, from http://www.honeynet.org/papers/ff Saha, B., & Gairola, A. (2005). Botnet: An overview. India: Indian Computer Emergency Response Team. Scharrenberg, P. (2008). Analyzing fast-flux service networks. Unpublished master s dissertation, University of Aachen, Germany. Weaver, R., & Collins, M. (2007). Fishing for phishes: Applying capture-recapture methods to estimate phishing populations. Proceedings of the anti-phishing working groups 2nd annual ecrime researchers summit, NY, USA. 16 March 2014