<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-ff-pdp-may08] Data from Secure Identity Systems?
- To: "Fast Flux Workgroup" <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: RE: [gnso-ff-pdp-may08] Data from Secure Identity Systems?
- From: "Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Jul 2008 09:20:17 -0400
Does anyone have a contact at Brentwood, TN-based Secure Identity
Systems? They just issued a press release touting their new
anti-phishing services
(http://www.marketwatch.com/News/Story/Story.aspx?guid={E5361420-F8B9-4A
F4-B130-57BF8F55D698}&siteid=nbkh), and might have useful data for this
WG.
Secure Identity Systems is the leading provider of managed,
total identity theft protection systems that safeguard financial
institutions, businesses, individuals, and households. SIS'
anti-phishing services enable banks, credit unions, and other
financial organizations to track the occurrence of their name, brands,
trademarks, and slogans on the Internet.
The service identifies phishing attacks, where e-mails and Web
sites that display the financial institution's brand are used
to trick unwary consumers into providing account and logon information.
The technology uses extensive Internet surveying, which works by
comparing the authentic Web site with a continuously updated database
that includes over 172 million Web sites and domain names, SSL
certificates, and feeds of phishing data from multiple sources.
That's only the beginning: after a phishing site is detected,
countermeasures are launched to take down the phishing site.
First, access to the site is restricted in popular browsers and security
products, reducing its ability to lure and entrap consumers. The
service then contacts the site owner, the ISP responsible for
hosting the site, the domain registrar, upstream provider, and law
enforcement to have the phishing site taken down. Once a site is
taken down, the service will continue to monitor the site from various
monitoring points around the world.
For more information about Secure Identity Systems' array of
services, please visit www.secureidentitysystems.com or call
615-377-7661.
-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Mike O'Connor
Sent: Monday, July 14, 2008 4:52 PM
To: Fast Flux Workgroup
Cc: Jose Nazario
Subject: [gnso-ff-pdp-may08] Data from Arbor Networks
Many thanks to Joe St Sauver for putting me in touch with Jose Nazario
of Arbor Networks. "Arbor Networks is a leading provider of secure
service control solutions for global networks. Arbor's customers include
over 70 percent of the world's ISPs and many large enterprises. By
providing unmatched network-wide visibility, Arbor solutions deliver
best-in-class network security, traffic management, network monitoring,
bandwidth management and broadband service optimization " (from their
web site).
Jose has offered to help us out on the fact-gathering front. here's his
email, responding to some very general questions that I just posed to
him. I wanted to share this with the group as a great
example of a helpful partnership and resource. Many thanks Jose!
I asked Jose whether these numbers are a good representation of the
total numbers, or are they sub-totals (based on the networks that
they're monitoring). He says it's independent of their sensors. He
goes on to say that they get candidate domains from an internal spam
feed, malcode URLs and a few blacklists. They screen for "fluxy"
characteristics and then track the live ones.
Here's a presentation to FIRST (last month) that he shared with me. I
found it very interesting, all the way from data-presented to issues
that we're charged with looking into. Worth the read IMHO;
http://monkey.org/~jose/presentations/first08.d/ATLAS%20Fastflux%20NSM-S
IG.pdf
Here's his email response to my broadly-framed questions (I promised him
that our questions would get more carefully-crafted);
>Date: Mon, 14 Jul 2008 14:39:22 -0400 (EDT)
>From: Jose Nazario <jose@xxxxxxxxx>
>To: Mike O'Connor <mike@xxxxxxxxxx>
>cc: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
>Subject: Re: fast flux data for ICANN
>X-Antivirus: AVG for E-mail 8.0.138 [270.4.10/1551]
>
>On Mon, 14 Jul 2008, Mike O'Connor wrote:
>
>>- the scale and scope of fast-flux activities (ie, what percent of IP
>> addresses, and what percent of domain-names are used for
fast-flux?)
>
>ATLAS measures fast flux botnet membership via active polling of the
>domain names. that said, ATLAS sees ~3000 unique IPs for those
>addresses every 24 hours or so.
>
>ATLAS is currently tracking ~6400 fast flux domain names.
>
>both values are sub 1% for their entity class. even if we're off by
>a reasonsable factor of 10 it's just not a "big" problem in terms of
>populations.
>
>active polling gives us between 1 and 5 % botnet visibility for
>botnets using fast flux (a small minority of all botnets) when we
>compare actve botnet measurements vs DNS-based methods.
>
>>- the impact of fast flux (how many networks, businesses, etc. suffer
>> harm -- and what kind of harm)
>
>there are at least two sides to the "harm" question: infected
>machines participating in the fast flux network and victims who
>click the links to go there (ie folks lured in by the storm worm
>campaigns). the latter is well measured by various groups. the
>former is something we can eastimate in ATLAS.
>
>here's top 20 ASNs by infected bot count in the past 24 hours:
>
> 150 | AS7132 SBIS-AS - AT&T Internet Services
> 121 | AS8708 RDSNET RCS & RDS S.A.
> 117 | AS8402 CORBINA-AS Corbina Telecom
> 88 | AS9121 TTNET TTnet Autonomous System
> 72 | AS5617 TPNET Polish Telecom's commercial IP network
> 57 | AS8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System
> 53 | AS13184 HANSENET HanseNet Telekommunikation GmbH
> 50 | AS8615 CNT-AS CNT Autonomous System
> 50 | AS8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
> 50 | AS4766 KIXS-AS-KR Korea Telecom
> 47 | AS9304 HUTCHISON-AS-AP Hutchison Global Communications
> 47 | AS12714 TI-AS NetByNet Holding
> 43 | AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone
> 43 | AS3209 Arcor IP-Network
> 36 | AS9829 BSNL-NIB National Internet Backbone
> 36 | AS6830 UPC UPC Broadband
> 36 | AS1680 NetVision Ltd.
> 32 | AS6746 ASTRAL ASTRAL Telecom SA, Romania
> 32 | AS3320 DTAG Deutsche Telekom AG
>
>
>none of these stand out as a big corporation like microsoft or GM
>(as opposed to consumer broadband).
>
>based on these numbers i would say the scale of the problem just
>based on populations is small.
>
>i think there is more to it than that, including dollar values,
>stress on the infrastructure, facilitating spam and fraud, etc.
>
>-------------------------------------------------------------
>jose nazario, ph.d. <jose@xxxxxxxxx>
>security researcher, office of the CTO, arbor networks
>v: (734) 821 1427 http://asert.arbornetworks.com/
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|