Fingerprinting custom botnet protocol stacks

Authors

Steve DiBenedetto, Colorado State University
Kaustubh Gadkari, Colorado State University
Nicholas Diel, Engineerity, LLC
Andrea Steiner, Colorado State University
Dan Massey, Colorado State University
Christos Papadopoulos, Colorado State University

Abstract

This paper explores the use of TCP fingerprints for identifying and blocking spammers. Evidence has shown that some bots use custom protocol stacks for tasks such as sending spam. If a receiver could effectively identify the bot TCP fingerprint, connection requests from spam bots could be dropped immediately, thus reducing the amount of spam received and processed by a mail server. Starting from a list of known spammers flagged by a commercial reputation list, we fingerprinted each spammer and found the roughly 90% have only a single known fingerprint typically associated with well known operating system stacks. For the spammers with multiple fingerprints, a particular combination of native/custom protocol stack fingerprints becomes very prominent. This allows us to extract the fingerprint of the custom stack and then use it to detect more bots that were not flagged by the commercial service. We applied our methodology to a trace captured at our regional ISP, and clearly detected bots belonging to the Srizbi botnet. ©2010 IEEE.

Publication Title

2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

Recommended Citation

DiBenedetto, S., Gadkari, K., Diel, N., Steiner, A., Massey, D., & Papadopoulos, C. (2010). Fingerprinting custom botnet protocol stacks. 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, 61-66. https://doi.org/10.1109/NPSEC.2010.5634448