The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges
Venue
Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (2016)
Publication Year
2016
Authors
Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ori Folger, Amir Hardon, Ari Berger, Elie Bursztein, Michael Bailey
BibTeX
Abstract
The underground commoditization of compromised hosts suggests a tacit capability
where miscreants leverage the same machine---subscribed by multiple criminal
ventures---to simultaneously profit from spam, fake account registration, malicious
hosting, and other forms of automated abuse. To expedite the detection of these
commonly abusive hosts, there are now multiple industry-wide efforts that aggregate
abuse reports into centralized threat exchanges. In this work, we investigate the
potential benefit of global reputation tracking and the pitfalls therein. We
develop our findings from a snapshot of 45 million IP addresses abusing six Google
services including Gmail, YouTube, and ReCaptcha between April 7--April 21, 2015.
We estimate the scale of end hosts controlled by attackers, expose underground
biases that skew the abuse perspectives of individual web services, and examine the
frequency that criminals re-use the same infrastructure to attack multiple,
heterogeneous services. Our results indicate that an average Google service can
block 14% of abusive traffic based on threats aggregated from seemingly unrelated
services, though we demonstrate that outright blacklisting incurs an untenable
volume of false positives.
