Characteristics of Attack Events

We want to verify the validity, the meaningfulness of the attack events identified, and, therefore see if other characteristics show their consistency. In the following, we use two sets of attack events AE-set-I and AE-set-II identified in Section 5.5.3.

Attacked services :We observe that the attack events belonging to both classes worm and botnet involve the similar list of services. In fact, in both cases, the at-tack events target common services such as Netbios (139/TCP, 445/TCP), RPC (135/TCP), Microsoft SQL Server (1443/TCP), VNC (5900/TCP), Symantec Sys-tem Center Agent (2967/TCP), Windows Messenger Popup (1026-1028/UDP). For instance, Table 6.2 gives a detailed distribution of the services attacked by the 18 attack events belonging to the classworm. The first (resp. second) column represents the distribution of the services attacked by the attack events from AE-set-I (resp.

AE-set-II). On the other hand, the attack events from the classothers involve only high port numbers. Most of them used by eMule and eDonkey client, e.g. 4662/TCP.

We actually do not have any good explanation for these phenomena. Tables 6.3 and 6.4 give a detailed distribution of ports attacked by the attack events of classothers obtained from AE-set-I (resp.AE-set-II).

Lifetime of attack events : Lifetime of an attack event is defined as the time interval between thestart_at and end_at of that attack event. As expected, attack events from both classes botnet and others have short lifetimes. In fact, almost all attack events from the class others last less than 3 days. Figure 6.2a shows the

76 6. CHARACTERIZATION OF ZOMBIE ARMIES

Table 6.2 – Distribution of Attacked Services of Attack Events of Class Worm AE-set-I AE-set-II service name

1 3 VNC (5900 TCP)

0 1 Scan, VNC (5900 TCP)

11 3 Symantec (2967TCP)

3 11 Microsoft Windows Messenger

(1026/UDP-1027/UDP-1028/UDP)

1 6 Scanning (ICMP)

0 3 Scan, Netbios (139/TCP, 445/TCP)

1 0 Netbios (139/TCP, 445/TCP)

0 4 RPC (135)

1 4 MS SQL Server (1443)

0 1 MySQL (3306TCP)

Table 6.3 – Distribution of Ports Attacked by Attack Events (from AE-set-I) of Class Others.

#of attack events Ports

28 eDonkey,eMule(4662/TCP 4672/TCP)

14 26912T 1755T 24653T 28238T 6342T 16661T 4857T 50286T 15264T 64264T 9763T 9661T 64783T 12293T

Table 6.4 – Distribution of Ports Attacked by Attack Events (from AE-set-II) of Class Others.

#of attack events Ports

32 eDonkey,eMule(4662/TCP 4672/TCP)

25 18794T, 26912T, 24653T, 48080T,

21415T, 16661T, 19464T, 30491T, 4857T, (13208T,25801T), 50286T, 15264T, (33018T,64264T), 38266T, 5001T, 7690T, 6134T, 64783T, 64783T, 12293T, 12293T, 38009T, 64697T, 46030T, 10589T

CDF of lifetimes of attack events belonging to the class botnet. As we can notice, more than 90% of attack events from this class last less than 10 days. Whereas, attack events belonging to the class worm last for a long period of time. As shown in Figure 6.2b around 80% of attack events obtained from AE-set-II last for more than 50 days. It is also interesting to see that only 50% of attack events of classworm obtained fromAE-set-I last more than 50 days. In other words, there is a difference in the lifetime of attack events belonging to the class worm detected by different observation viewpoints. More concretely, the lifetime of attack events detected by using the destination of the attacks is longer than that detected by using the origin of the attacking machines.

Figure 6.2 – a) CDF of lifetimes of attack events from class botnet b) CDF of lifetimes of attack events from class worm

Source and Target Distribution : Figure 6.3 shows the CDF of number of countries/platforms involved in the attack events for the classes botnet and worm.

As we can observe, most attack events concern a limited number of observation viewpoints. In fact, in 80% of the cases, attack events involve less than 5 countries and platforms. In other words, attacking machines involved in attack events come from and attack a very limited number of locations in the IP space.

Finally, as said earlier, each attack event in class others always targets the same IP address. A closer look shows that 57 attack events in Table 6.4 attack only 5 distinct IP addresses from 3 platforms. As of now, we have no explanation for this strange phenomena.

Source behavior : As we have shown earlier, an attack event, consisting of several attacking sources, can involve more than one platform. It may be interesting to see whether these attacking sources do redundant tasks or if there is some assigned task for each source, or at least a mechanism that avoids the redundancy of work done by different attacking sources. To find the answers for this question, we look at the behavior of attacking sources through the following two aspects : the behavior of the attacking sources within one platform and the behavior of the attacking sources on several platforms. By behavior, we mean simply the number of honeypots and platforms contacted for the first, and second case, respectively.

To examine the behavior of the attacking sources within the platform, we proceed

78 6. CHARACTERIZATION OF ZOMBIE ARMIES

Figure6.3 – a) CDF of number of observation viewpoints from class worm. b) CDF of number of observation viewpoints from class botnet

as follows. Suppose thatS is the set of all sources in an attack event, a source s∈S contacts a set of platforms P_s, andN_i is the number of honeypots that the source s contacts on the platform pi ∈Ps. We compute ms= _|P¹

s|

Ppi∈Ps

Ni as the mean of number of honeypots contacted by the source s per platform. The average number of honeypots (IP addresses) within a platform contacted by sources is _|S|¹ Ps∈S

ms.

Figure 6.4a shows the CDF of the average number of IP honeypots for all the attack events from the class worm. As we can see, in more than 80% the case, the sources contact in average more than 1 IP address. And in around 36% the cases, the sources contact all three IP addresses.

To examine the behavior of the attacking sources over several platforms, on the attack event basis, we compute, this time, the average number of platforms contacted by all the attacking sources from that specific attack event. Figure 6.4b shows the CDF of the average number of platforms contacted by sources for all the attack events from the classworm. As we can notice, in around 90% of the cases, attacking sources have contacted less than two platforms.

This result suggests that objective of the individual attacking source is always smaller than that of the attack event, and that there may be a mechanism that allows the attacking sources to avoid doing the redundant task within an attack event, but obviously, there are a lot of room to improve. This observation also holds with even stronger evidence in the case of botnets as represented in the two corresponding plots c and d of Figure 6.4.

As an example, attack event 79, as represented earlier in Figure 6.1b, consists of the attacks of cluster 65710 against Microsoft Messenger Service (port 1026/UDP) on six different platforms located in five /8 networks. In this particular attack event, a source contacts only one platform. In other words, we have 6 set of sources, in which sources in each set attack only one platform. Furthermore, all the sources hit all the three honeypots on the platform they contact.

1 1.5 2 2.5 3

Figure 6.4 – Plot (a) (resp. c) represents the CDF of average number of IP wi-thin a platform contacted by the sources in case of class worm(resp. botnet). Plot (b) (resp. d) represents the CDF of average number of platforms within an attack event contacted by the sources in case of attack events belonged to class worm(resp.

botnet)