Tag Archive: Botnets

It’s really a long time I do not post about TIP. The good news is that TIP is starting growing really fast and this is mainly due to its modular design which allows to plug different kind of tracking modules with minimum effort. In this post I’ll provide a brief overview of the new still integrated features and the upcoming ones.

First of all, a new TIP Collector module named Malware was integrated and currently it handles data coming from GLSandbox, a sandbox for automated malware analysis written by Guido Landi. Other than just analyzing malware samples behavior, the idea is to collect additional data coming from such analysis too. An example of such interesting data is related to C&C identification which can be automatically handled by a botnet monitoring tool for further analysis. Another example is related to information about domains which could lead to the identification of new fast-flux domains.GLSandbox code is currently not public but plans exist to release it in the next future. A search engine was integrated in TIP in the last version! The idea is to index the database in order to be able to search into it with great efficiency and performance. In order to implement it, Haystack was used. The first tests were done using Apache Solr (deployed as Apache Tomcat application) as backend and confirm it works like a charm!  A new REST API was designed and realized in order to be able to more easily search and share data with other users and/or applications. The API was realized using Django-Piston and supports OAuth authentication. Moreover the last version of TIP supports Django 1.2 and stops supporting previous versions (due to some incompatible changes between versions 1.1 and 1.2) and introduces support to migrations using South in order to more easily make changes to the database schema while developing.

A lot of new cool features, a lot of upcoming cool ones! Stay tuned!

Few days ago I started thinking about the scalability limits of the TIP Fast-Flux Tracking module and realized its design was really awful. The approach was based on the idea of assigning a monitoring thread to each fluxy domain. This approach is well suited if the number of threads is quite small but not for what I was just realizing. First of all, when the number of threads starts growing the performance starts decreasing due to the Python Global Interpreter Lock which limits concurrency of a single interpreter process with multiple threads (and there are no improvements in running the process on a multiprocessor system). Moreover, it’s really hard to guarantee each thread enough stack space for running not raising segmentation faults. For these reasons I decided to rewrite the module from scratch and currently I’m testing it. The new design is really simple, effective and scalable and I have to thank Jose Nazario, Marcello Barnaba and Orlando Bassotto for the really interesting talks we had about this matter. Just one process and no monitoring threads. The code is written is such a way not to have blocking calls thus realizing a really asynchronous module. But when a domain starts being monitored there’s the need to access to backend database thus requiring blocking calls. When this happens, the blocking calls are delegated to the Twisted thread pool with a cloned copy of the collected data in order not to compromise code scalability with not necessary locks. Moreover the module is now turning to be a Twisted Application of its own and the first tests done using the Twisted Epoll Reactor are absolutely encouraging. Stay tuned!

Today I came back from my Christmas holidays with the precise idea of rewriting the Fast Flux Tracking module from scratch. In fact, in the last days I observed strange behaviors during its working when the number of domains to monitor exceeded a few thousands. A deep investigation of the code revelead to me the sad truth. While using the monitoring threads I forgot cleaning an object related to asynchronous DNS requests at the thread exit. This lead to a great number of unused socket descriptors flying around thus causing the process to quickly hit the limit of the operating system. Three lines of code were added and everything works fine with about 24000 domains monitored right now. Moreover I think few improvements in the module are on the way. Stay tuned!

Eppur si muove!

TIP (Tracking Intelligence Project) is taking its first steps. In my most beautiful dreams, TIP should be an information gathering framework whose purpose is to autonomously collect Internet threat trends. Currently, TIP is closely monitoring information derived from few publicly available blacklists thus identifying malicious domains and networks. To reach its goal, TIP core engine was designed to be totally asynchronous in order to handle common situations where few thousands of running monitoring threads are needed. It’s a nice challenge but something is moving. Have a look at this Fast-Flux Network that TIP is tracking right now (few information are skipped for obvious reasons).

Stay tuned!

Current Datetime:  2008-12-19 12:01:14.890779
set([(‘′, ‘7922’, ‘US’), (‘′, ‘13343’, ‘US’), (‘′, ‘15227’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7018’, ‘US’), (‘′, ‘33287’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘209’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘11060’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7725’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘21508’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33662’, ‘US’), (‘′, ‘19115’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘15227’, ‘US’), (‘′, ‘6389’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘14615’, ‘US’), (‘′, ‘36727’, ‘US’), (‘′, ‘36727’, ‘US’), (‘′, ‘12083’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33668’, ‘US’), (‘′, ‘21766’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33662’, ‘US’), (‘′, ‘33652’, ‘US’), (‘′, ‘30160’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘13343’, ‘US’), (‘′, ‘4565’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7018’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘33657’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘33662’, ‘US’), (‘′, ‘6478’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘12262’, ‘US’), (‘′, ‘11388’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33287’, ‘US’), (‘′, ‘11427’, ‘US’), (‘′, ‘19262’, ‘US’), (‘′, ‘10994’, ‘US’), (‘′, ‘11060’, ‘US’), (‘′, ‘7018’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7018’, ‘US’), (‘′, ‘6478’, ‘US’), (‘′, ‘33491’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘16810’, ‘US’), (‘′, ‘7459’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘33651’, ‘US’), (‘′, ‘20214’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33657’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘3909’, ‘US’), (‘′, ‘33662’, ‘US’), (‘′, ‘7029’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘20412’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7725’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘5668’, ‘US’), (‘′, ‘2711’, ‘US’), (‘′, ‘29737’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘33287’, ‘US’), (‘′, ‘3801’, ‘US’), (‘′, ‘13693’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘20115’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘7132’, ‘US’), (‘′, ‘14615’, ‘US’), (‘′, ‘7922’, ‘US’), (‘′, ‘33657’, ‘US’)])

Bad Behavior has blocked 15 access attempts in the last 7 days.