Sarah Jaffer PCs monitored by users Varying levels of security Autonomous Systems AS monitored by sysadmin Same security within a system Which is more valuable in a botnet Malicious Hubs ID: 625947
Download Presentation The PPT/PDF document "Malicious Hubs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Malicious Hubs
Sarah
JafferSlide2
PCs monitored by users
Varying levels of security
Autonomous Systems (AS) monitored by sysadminSame security within a systemWhich is more valuable in a botnet?
Malicious Hubs
2Slide3
Some AS have poor security
If one machine can be infected, many can
Some may be criminalEither way, these malicious hubs need to be shut downFirst, need to be identified
Malicious Hubs
3Slide4
Aggregate blacklists of malicious IPs
Determine what AS (if any) they belong to
Longest prefix matching on IPEvaluate AS using these statisticsTwo methods
Methodology
4Slide5
Ratio of malicious IP to total IP range
Total IP range is approximate
Blacklists may not have all malicious IPsWide variance in AS hostility~0.6% to 9.25% of IP range compromised
Method 1
5Slide6
Percentage of each blacklist database comprised of each AS
Characterizes different AS tendency towards different activity
Most small: 0.25% to 1%Few large: 7% to 10%
Method 2
6Slide7
Methods identify AS which are either insecure or criminal
Enough evidence to hold them accountable?
How much do blacklists miss?Other methods of evaluation?
Conclusions
7