A Novel Mechanism to Defend DDoS Attacks Caused by Spam

Abstract

Corporate mail services are designed to perform better than public mail services. While corporate mail services are convenient and provide fast mail delivery, ability to transfer large file, provide high level spam and virus protection, and advertisement free environment but they are also frequently targeted by hackers and spammers and thus making this service challenging. These days the DDoS attack through spam is a persistent threat to mail services of various organizations. Spam penetrates through all filters to establish DDoS attacks, which causes serious problems to users and the data. Because spam imposes such significant challenges, should all corporate mail services be considered hostile to the organization? Not necessarily. A well organized corporate mail service protects the system from DDoS attacks. In this paper we propose a novel approach to defend DDoS attack caused by spam mails. This approach is a combination of fine tuning of source filters, content filters, strictly implementing mail policies, educating user, network monitoring and logical solutions to the ongoing attack. We have conducted several experiments in corporate mail services; our analysis shows that this approach is highly efficient to prevent DDoS attack caused by spam. The novel defense mechanism reduced 60% of the incoming spam traffic and repelled many DDoS attacks caused by spam

1. Introduction

Email is a source of communication for millions of people world wide [8]. But spam abruptly disturbs the email users by eating their resources, time and money. In the Internet community spam has always been considered as bulk and unsolicited. Spam mails accounts for 80% of the entire mail traffic. Many researchers have proposed different solutions to stop spam. But the effort has become a drop of water in the ocean. No matter how hard, spammers always find new ways to deliver spam mail to the user’s inbox. Of late, spammers target mail servers to disturb the activities of organizations which results in economic and reputation loss. The DDoS attack is a common mode of attack to cripple the particular server. The spammers take DDoS attack in their arms to disturb the mail servers. In this paper we examine the DDoS attacks through spam mails. We propose a multi layer approach to defend the DDoS attack caused by spam mails. We have implemented this methodology in our mail system and monitored the results. The result shows that our approach is very effective to defend DDoS attack caused by spam. E-mail life cycle : The composed mail in the source machine will be handover to the Message Transfer Agent (MTA). The MTA will find the destination machine with the help of DNS server and relay the mail to the destination systems MTA [12]. The MTA at the destination machine delivers the mail to the destination user’s mail box. The machines between source and destination will act as intermediate machines for the data transfer called relay. MTA relay mail between each other uses the Simple Mail Transfer Protocol. Corporate mail services usually faster and sophisticated than free mail services. The corporate mail service deliver mails quickly and provides a facility to attach large size files and unlimited storage facilities. To deliver mails faster, the server generally skip most of the time consuming spam protection tests. To attach the big size files it has to bypass several content filter settings. This makes the corporate mail servers vulnerable to spam mail which ultimately causes DDoS attacks. We propose a multi layer approach to defend the DDoS attack caused by spam mails. We implemented this methodology in our mail system and monitored the results. The result shows that our approach is very effective to defend DDoS attack caused by spam. The rest of the paper is organized as follows. Section 2 discusses related work. Section 3 explains the mechanism of DDoS attack through spam. In section 4, we describe our methodology to defend the attack. Section 5 provides data Collection and experimental results. We conclude in section 6.

2. Related work

In [1] L.H. Gomez et al, presented an extensive study on characteristics of spam traffic in terms of email arrival process, size distribution, the distributions of popularity and temporal locality of email recipients etc., compared with legitimate mail traffic. Their study reveals major differences between spam and non spam mails. In [2] Anirudh R. et al, examines the use of DNS black lists. They have examined seven popular DNSBLs and found that 80% of the spam sources are listed in some DNSBL. A comprehensive study of clustering behavior of spammers and group based anti spam strategies presented by Fulu Li, Mo-han Hsieh [4]. Their study exposed that the spammers has demonstrated clustering structures. They have proposed a group based anti spam frame work to block organized spammers. In [5] Anirudh R. et al, presented a network level behavior of spammers. They have analyzed spammers IP address ranges, modes and characteristics of botnet. Their study reveals that blacklists were remarkably ineffective at detecting spamming relays. Their study states that to trace senders the internet routing structure should be secured. Carl Eklund [8] presented a comprehensive study of spam and spammers technology. His study reveals that few work email accounts suffer from spam than private email. To the best of our knowledge our study is the first paper, comprehensively studying the DDoS attacks by spam.

3. Mechanism of DDoS attacks through spam

Distributed Denial of Service (DDoS) attack is a large scale, coordinated attack on the availability of services at a victim system or network resource [3]. DDOS attack through spam mail is one of the new versions of common DDoS attack. In this type, the attacker penetrates the network by a small program attached to the spam mail. After the execution of the attached file, the mail server resources will be eaten up by mass mails from other machines in the domain resulting in the denial of services. The working scenario of this attack is shown in fig.1. The attackers take maximum effort to pass through the spam filters and deliver the spam mail to the user’s inbox. Here the hackers do enough to make the mail recipient believe that the spam mail is from a legitimate user as shown in fig.2. Social Engineering techniques are used to convince users to open spam mails or attachments [25]. The attackers use fake email ids from the victim’s domain to penetrate through the network. The spam mail is sent in the name of Network administrator / well wisher of the victim or boss of the organization. Note that the spam mail does not have the signature of these senders. The spam contains small size of .exe file as an attachment (for example update.exe). The attackers used double file extension to confuse the filter (Update_KB2546_*86.BAK.exe (140k)) and user. The attachment size ranges from 35KB to 180 KB. The spam mail asks the recipient to execute the .exe file to update anti virus software. Upon execution of the attachment, it will drop new files in the windows folder and change the registry file, linked to the attacker’s website to download big programs to harm the network further. The infected machine collect email addresses through windows address book and automatically send mails to others in the same domain. Even if the users don’t use mail service programs like Outlook express and others, it will send mails by using its own SMTP. Mostly this kind of spam mail attracts group mail ids, and will send mails to large groups. By sending mails to the group, it will spread the attack vigorously. If users forward this mail to others it will worsen the situation. Ultimately the server will receive enormous request from others beyond its processing capacity. In this way the attack will spread and results in DDoS attack. After the first mail, every minute it will send same kind of mail with different subject name and different contents to the group email ids. Very soon it will eat up the server resources and end up in distributed denial of service attack. The names of the worms used in these kind of DDoS attacks are WORM_start.Bt, WORM_STRAT.BG,WORM_STRAT.BR,TROJ_PDROPPER.Q. Upon execution, these worms drop files namely serv.exe, serv.dll, serv.s, serv.wax, E1.dll, rasaw32t.dll etc. Fig.2. Content of spam DDoS malware cause direct and indirect damage by flooding specific targets [14]. Mass mailers and network worms cause indirect damage when they clog mail servers and network bandwidth. In Network, It will consume the network bandwidth and resources, causing slow mail delivery further resulting Denial of service. The server will be down due to enormous request from clients and bulk mail processing. It might also crash due to over load. For Individual user, by receiving unlimited number of spam mails, the user will be frustrated and they will not be able find legitimate mails. User can’t use Internet explorer and other applications due the files dropped in system folder. The system becomes unusable and system data or files become unrecoverable. It will automatically load many programs in system startup and therefore it takes long time to boot and shutdown the system. It will change the registry settings of the individual machines as well as corrupt the data. In E-Mail Bomb Attacks, thousands of e-mails are sent to a single target to fill the storage space or bandwidth of the target [24]. If the mailbox is filled with the spam mails, the user cannot receive legitimate mails. This situation is similar to the results of DoS attacks. Email spamming is another version of Bombing. The spammers can send thousands of mails to the users in a single domain causing the mail server to overload. The software tools are available in Internet to send 350 spam mails per minute on 1mbit cable [11]. Ultimately it will result the Denial of service attacks on the server. Hundreds of spam mail tools are freely available on Internet for example Phasma Email Spoofer, Bulk Mailer, Aneima 2.0, Avalanche2,3.5, Euthanasia etc.,

References

[1] Luiz Henrique Gomes, Wanger Meira Jr et al : Characterizing a Spam Traffic, ACM IMC-04, pp 356-369,2004.
[2] Anirudh Ramachandran, David Dagon, Nick Feamster: Can DNS-based Blacklists keep up with Bots, CEAS 2006, July 27-28, 2006.
[3] Jae Yeon Jung, Emil sit: An empirical study of spam traffic and the use of DNS Black lists, ACM SIGCOMM Internet measurement conferences, pp 370-75, 2004.
[4] Fulu Li, Mo-han Hsieh: An empirical study of clustering behavior of spammers and Group based Anti-spam strategies, CEAS 2006, pp 21-28, 2006.
[5] Anirudh Ramachandran, Nick Feamster : Understanding the network level behaviour of spammers, SIGCOMM 06, September 2006.
[6] Ben Adida, David Chau, susan Hohenberger, Ronald L rivest: Lightweight Signatures for Email, DIMACS, 2006.
[7] David A Turner, Daniel M Havey: Controlling spam through Lightweight currency, ICCS-04, 2004.
[8] Carl Eklund: Spam -from nuisance to Internet Infestation, Peer to Peer and SPAM in the Internet Raimo Kantola’s technical report, 126-134, 2004.
[9] Vladimir Mijatovic: Mechanism for detecting and prevention of email spamming, Peer to Peer and SPAM in the Internet Raimo Kantola’s technical report, 135-145, 2004.
[10] Keno Albrecht, Nicolas Burri, Roger Wattenhofer: Spamato-An extendable spam filter system, Keno Albrecht, Nicolas Burri, Roger Wattenhofer, CEAS-05, July 2005.
[11] Jean-Marc Seigneur, Nathan Dimmock, Ciaran Bryce, Christain Damsgaard Jensen: Combating spam with TEA (Trustworthy email addresses) PST 2004, 47-58, 2004.
[12] Technical response to spam, Taughannok networks, Technical report, November 2003.
[13] Ralph F Wilson: SPF helps Legitimate E-mail get through spam filters, Web marketing today premium, Issue 85, November 2004.
[14] Jian Yuan, Kevin Mills: Monitoring the effect of Macroscopic Effect of DDOS flooding attacks, IEEE Transactions on Dependable and Secure Computing, Volume 2, No. 4, pp. 324-335, 2005.
[15] Sender Policy Framework, http://new.openspf.org/
[16] Spamhaus survives DDoS attack http://www.virus.org/news, September 2006.
[17] SURBL http://www.surbl.org/lists.html
[18] Grey Listing-http://greylisting.org/
[19] Greylisting FAQ https://hdc.tamu.edu/
[20] The Spamhous Project. www.spamhaus.org
[21]SpamAssassin www.spamassassin.apache.org
[22] SpamCop http://spamcop.net
[23] Cloudmark, http://www.cloudmark.com
[24] Email Bombing and Spamming: www.cert.org/tech_tips/email_bombing_spamming.html
[25] Dhinaharan Nagamalai, Cynthia Dhinakaran, Jae-Kwang Lee : Multi Layer Approach to Defend DDoS Attacks Caused by Spam, MUE-07, 97-102, April 2007.
[26] Ben Laurie, Richard Clayton: Proof of work proves not to work, WEIS04, Minneapolis MN, May 13-14, 2004

Note: The paper is published in International Journal of Smart Home Vol. 1, No. 2, July, 2007, pg 83-93. Full paper is available in pdf format

Home