Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Booter Blacklist:
Unveiling DDoS-for-hire Websites
Jair Santanna
j.j.santanna@utwente.nl
jairsantanna.com
03/11/2016
Ricar...
Distributed Denial
of Service attack
a.k.a.
DDoS attack
DDoS attack
How many calls can you
handle?
DDoS attack
Operation
Payback
Amazon, PayPal, MasterCard, Visa and the Swiss bank PostFinance
LOIC
Who can preform
a DDoS attack?
8
Anyone!
Booter
"DDoS as a $ervice"
"DDoS for Hire"
Stresser
Hands-on
Booters' Ecosystem
Generate a comprehensive
list of Booter Websites
Goal
Scrapper ClassifierCrawler
Methodology
Website classification
Website filtering
Blacklist generation
Website classification
Website filtering
Blacklist generation
Justyna Joanna Chromik; José Jair Santanna; Anna Sperotto; and...
Scrapper ClassifierCrawler
torsearch.es AND ahmia.fi
booter
stresser ddoser
ddos-as-a-service
ddos-for-hire
Information sour...
Scrapper ClassifierCrawler
torsearch.es AND ahmia.fi
booter
stresser ddoser
ddos-as-a-service
ddos-for-hire
1 Number	of	page...
Scrapper ClassifierCrawler
torsearch.es AND ahmia.fi
booter
stresser ddoser
ddos-as-a-service
ddos-for-hire
Information sour...
Example:
by comparing the characteristics
Classifier
Booter
Website1
Website2
Characteristica
Characteristic b
d2
d1
Classifier
threshold
Classification Accuracy Rate:
False Pos...
Scrapper
1 Number	of	pages
2 Domain	age
3 DPS	subscrip7on
4 WHOIS	private
5 URL	type
6 Depth	level
7 Terms	of	services	pag...
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
*Vary Threshold in 0,1
CAR
FPer
FNer
Objective function:
*465 suspect URLs (140 Booters and 325 other websites)
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
Scrapper
1 Number	of	pages
2 Domain	age
3 DPS	subscrip7on
4 WHOIS	private
5 URL	type
6 Depth	level
7 Terms	of	services	pag...
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
Classifier
Heuristic was okey, but …
• Fractional distance
• Cosine distance
• k-Nearest Neighbors (k-NN)
• Naive Bayes
• M...
http://booterblacklist.com
https://github.com/jjsantanna/booterblacklist_use_cases
Booter Blacklist:
Unveiling DDoS-for-hire Websites
Jair Santanna
j.j.santanna@utwente.nl
jairsantanna.com
03/11/2016
What I expect?
What I expect?
Disappear!
from our eyes
Booter Blacklist: Unveiling DDoS-for-hire Websites
Booter Blacklist: Unveiling DDoS-for-hire Websites
Booter Blacklist: Unveiling DDoS-for-hire Websites
Upcoming SlideShare
Loading in …5
×

Booter Blacklist: Unveiling DDoS-for-hire Websites

157 views

Published on

Date: 03/11/2016
Conference: 12th International Conference on Network and Service Management (CNSM)
Location: Montreal, Quebec, Canada

Published in: Education
  • Be the first to comment

Booter Blacklist: Unveiling DDoS-for-hire Websites

  1. 1. Booter Blacklist: Unveiling DDoS-for-hire Websites Jair Santanna j.j.santanna@utwente.nl jairsantanna.com 03/11/2016 Ricardo de O. Schmidt∗, Daphne Tuncer† Joey de Vries∗, Lisandro Z. Granville‡ and Aiko Pras∗
  2. 2. Distributed Denial of Service attack a.k.a. DDoS attack
  3. 3. DDoS attack How many calls can you handle?
  4. 4. DDoS attack
  5. 5. Operation Payback Amazon, PayPal, MasterCard, Visa and the Swiss bank PostFinance
  6. 6. LOIC
  7. 7. Who can preform a DDoS attack?
  8. 8. 8
  9. 9. Anyone!
  10. 10. Booter "DDoS as a $ervice" "DDoS for Hire" Stresser
  11. 11. Hands-on
  12. 12. Booters' Ecosystem
  13. 13. Generate a comprehensive list of Booter Websites Goal
  14. 14. Scrapper ClassifierCrawler Methodology Website classification Website filtering Blacklist generation
  15. 15. Website classification Website filtering Blacklist generation Justyna Joanna Chromik; José Jair Santanna; Anna Sperotto; and Aiko Pras. Booter websites characterization: Towards a list of threats. Brazilian Symposium on Computer Networks and Distributed Systems (SBRC), 2015. Related Work URL, Website structure, WHOIS, and Page content 1. Number of pages less than 50. 2. Depth level of the website of maximum 2. 3. Presence of registration page. 4. Presence of terms of service page. 5. Domain creation time 2012 and later. 6. Obfuscated WHOIS data. 7. Protected by a DPS. 8. Specific registrar: Enom. 9. Login button on page. 85%
  16. 16. Scrapper ClassifierCrawler torsearch.es AND ahmia.fi booter stresser ddoser ddos-as-a-service ddos-for-hire Information source keywords *meta-info
  17. 17. Scrapper ClassifierCrawler torsearch.es AND ahmia.fi booter stresser ddoser ddos-as-a-service ddos-for-hire 1 Number of pages 2 Domain age 3 DPS subscrip7on 4 WHOIS private 5 URL type 6 Depth level 7 Terms of services page 8 Outbound hyperlinks 9 Pagerank 10 Content size 11 URL length 12 Domain expira7on 7me 13 Content dic7onary 14 Login-form depth level 15 Resolver indica7on Information source keywords *meta-info
  18. 18. Scrapper ClassifierCrawler torsearch.es AND ahmia.fi booter stresser ddoser ddos-as-a-service ddos-for-hire Information source keywords *meta-info Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance 1 Number of pages 2 Domain age 3 DPS subscrip7on 4 WHOIS private 5 URL type 6 Depth level 7 Terms of services page 8 Outbound hyperlinks 9 Pagerank 10 Content size 11 URL length 12 Domain expira7on 7me 13 Content dic7onary 14 Login-form depth level 15 Resolver indica7on
  19. 19. Example: by comparing the characteristics Classifier
  20. 20. Booter Website1 Website2 Characteristica Characteristic b d2 d1 Classifier threshold Classification Accuracy Rate: False Positive error rate: False Negative error rate: Objective function:
  21. 21. Scrapper 1 Number of pages 2 Domain age 3 DPS subscrip7on 4 WHOIS private 5 URL type 6 Depth level 7 Terms of services page 8 Outbound hyperlinks 9 Pagerank 10 Content size 11 URL length 12 Domain expira7on 7me 13 Content dic7onary 14 Login-form depth level 15 Resolver indica7on Booter Non-B. 7.88 981.75 395.96 3564.29 0.73 0.21 0.73 0.28 1.04 1.20 0.92 1.75 0.47 0.44 0.41 14.10 1.1*107 3.2*106 127.00 679.08 24.93 53.65 310.93 812.22 39 14 1.38 2.06 0.22 0.19 Normalized Booter Non-B. 0.93 0.23 0.78 0.14 0.71 0.21 0.71 0.29 0.96 0.80 0.87 0.57 0.47 0.44 0.84 0.19 0.90 0.30 0.70 0.16 0.36 0.07 0.90 0.61 0.49 0.24 0.52 0.27 0.24 0.19 Different Scale! <1 *928 URLs (113 Booters)
  22. 22. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance
  23. 23. *Vary Threshold in 0,1 CAR FPer FNer Objective function: *465 suspect URLs (140 Booters and 325 other websites)
  24. 24. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 92,00% 3,00% 4,90% 92,70% 2,40% 4,90% 91,40% 2,40% 6,20% 91,40% 4,90% 3,70% 90,80% 3,00% 6,20% CAR FPer FNer Objective function:
  25. 25. Scrapper 1 Number of pages 2 Domain age 3 DPS subscrip7on 4 WHOIS private 5 URL type 6 Depth level 7 Terms of services page 8 Outbound hyperlinks 9 Pagerank 10 Content size 11 URL length 12 Domain expira7on 7me 13 Content dic7onary 14 Login-form depth level 15 Resolver indica7on Booter Non-B. 7.88 981.75 395.96 3564.29 0.73 0.21 0.73 0.28 1.04 1.20 0.92 1.75 0.47 0.44 0.41 14.10 1.1*107 3.2*106 127.00 679.08 24.93 53.65 310.93 812.22 39 14 1.38 2.06 0.22 0.19 Normalized Booter Non-B. 0.93 0.23 0.78 0.14 0.71 0.21 0.71 0.29 0.96 0.80 0.87 0.57 0.47 0.44 0.84 0.19 0.90 0.30 0.70 0.16 0.36 0.07 0.90 0.61 0.49 0.24 0.52 0.27 0.24 0.19 Weight 40.97 22.19 9.07 5.98 6.00 5.03 1.13 22.83 20.93 12.26 7.00 5.77 3.00 2.92 1.39 0.56 0.51 0.30 0.17 0.14 0.07 0.07 0.03 Normalized Weight 1.00 0.54 0.22 0.15 0.15 0.12 0.03 *Odds-ratio
  26. 26. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 92,00% 3,00% 4,90% 92,70% 2,40% 4,90% 91,40% 2,40% 6,20% 91,40% 4,90% 3,70% 90,80% 3,00% 6,20% CAR FPer FNer Objective function: Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 Accuracy Threshold 1 0.8 0.6 0.4 0.2 0.2 0.4 0.6 0.8 1 0 0 93,30% 1,70% 4,90% 94,00% 2,20% 3,90% 93,10% 1,90% 4,90% 92,30% 2,20% 5,60% 94,40% 2,20% 3,40%
  27. 27. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance 2 4 6 8 10 1214 0.8 0.84 0.88 0.92 0.96 Accuracy k Manhattan Cosine Fractional 2 4 6 8 10 1214 0.8 0.84 0.88 0.92 0.96 Accuracy k 91,00% 7,30% 1,70% 91,40% 6,00% 2,60% CAR FPer FNer 94,40% 2,20% 3,40% • Cosine distance
  28. 28. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance CAR FPer FNer 94,40% 2,20% 3,40% • Cosine distance 91,20% 5,60% 3,20% 91,80% 4,90% 3,20%
  29. 29. Classifier Heuristic was okey, but … • Fractional distance • Cosine distance • k-Nearest Neighbors (k-NN) • Naive Bayes • Machine Learn • Euclidean distance • Squared Euclidean distance • Manhattan distance 94,40% 2,20% 3,40% • Cosine distance 95,50% 1,50% 3,00% CAR FPer FNer 95,5% 98,7%824 iterations
  30. 30. http://booterblacklist.com
  31. 31. https://github.com/jjsantanna/booterblacklist_use_cases
  32. 32. Booter Blacklist: Unveiling DDoS-for-hire Websites Jair Santanna j.j.santanna@utwente.nl jairsantanna.com 03/11/2016
  33. 33. What I expect?
  34. 34. What I expect? Disappear! from our eyes

×