Analyzing the Aftermath of the McColo Shutdown

DiBenedetto, Steve; Massey, Dan; Papadopoulos, Christos; Walsh, Patrick J.

doi:10.1109/saint.2009.37

Cited by 7 publications

(3 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most organizations run some version of spam filters at their local networks . These filters examine the content of each message as well as the IP address where the message came from, and if they match known spam signatures, the message is marked as spam.…”

Section: Monitoring Network Securitymentioning

confidence: 99%

Statistical methods for network surveillance

Jeske

Stevens

Tartakovsky

et al. 2018

Appl Stoch Models Bus & Ind

View full text Add to dashboard Cite

show abstract

Section: Monitoring Network Securitymentioning

confidence: 99%

Statistical methods for network surveillance

Jeske

Stevens

Tartakovsky

et al. 2018

Appl Stoch Models Bus & Ind

View full text Add to dashboard Cite

show abstract

“…By analyzing a trace from DShield.org logs [5], they observed that 80% of the malicious traffic is originated from the same 20% of the IP space. Finally, recent works studied the implications that shutting down MacColo [13] had to spamming activity [3], [4]. Both studies show a drop in spam volumes right after the server shut down.…”

Section: A Network Behavior Of Spammersmentioning

confidence: 99%

Network-level characteristics of spamming: An empirical analysis

Kokkodis

Faloutsos

Markopoulou

2011

2011 19th IEEE International Conference on Network Protocols

View full text Add to dashboard Cite

Abstract-Has the behavior of spammers changed over the last few years? To answer this question, we conduct a study from three recent data sources. Specifically, we focus on the following broad questions: (a) how are email addresses harvested, (b) where is spam coming from, and (c) how does spam evolve over time. First, we discuss whether spammers still use email harvesting : 34% of the honeypot accounts we publicised received spam after 72 days on average. Interestingly, we find that simple email address obfuscation is quite effective against harvesting. Second, we identify significant skew in the spatial distribution of the origin of spam in both the IP-level and AS-level of granularity. We find that 20% of the active IPs are responsible for 80% of the total volume of spam and that 10% of the spamming ASes are responsible for the 90% of the volume. Finally, we study the temporal characteristics of the spamming IPs and find that spam activity has spread to new /8 subnetworks since 2006. Considering these spatio-temporal trends, the future of anti-spam is mixed: the current skewed spatial distribution of spam sources could be helpful in filtering spam, but the fact that spam sources are spreading in the IP space is a worrisome sign.

show abstract

“…To this end, there are numerous micro-ISPs that purchase Internet in bulk from providers owning a backbone and offer it to subscribers at appealing prices. Cases where micro-ISPs were affiliated with illegal activities have been recorded in the past [DMPW09]. In the majority, these activities refer to SPAM and malware distribution.…”

Section: Untrusted Ispsmentioning

confidence: 99%

Modern techniques for the detection and prevention of web2.0 attacks

Αθανασόπουλος¹

View full text Add to dashboard Cite

In this dissertation we examine web exploitation from a number of different perspectives.First, we introduce return-to-JavaScript attacks; a new flavor of Cross-Site Scripting (XSS), which is able to escape script whitelisting. Second, we design xJS, a system that can prevent code injections of JavaScript in web applications. xJS is based on the concept of Instruction Set Randomization (ISR) for isolating legitimate JavaScript from malicious injections. We evaluate xJS and show that the overhead it imposes in the server's and the client's side is negligible, since xJS is based on the fast XOR operation. Third, we deliver a more fine-grained randomization framework for web applications, RaJa, which can efficiently cope with language mixing. RaJa can successfully extract and randomize the JavaScript source code of real-world applications, which experience heavy code-mixing (i.e. JavaScript is mixed with a server-side programming language, such as PHP). Forth, we present xHunter, a network-level detector, which is able to locate JavaScript fragments in the body of URLs. With the assistance of xHunter we deliver an extensive analysis of the largest to date web-attack repository, XSSed.com. This particular repository hosts about 12,000 incidents of web exploitation. Our analysis identifies that 7% of all examined web attacks do not use any markup elements, such as