Resist Spam Delivery by TCP Damping
Kang Li
Dept. of Computer Science
University of Georgia
Calton Pu Mustaque Ahamad
College of Computing
Georgia Institute of Technology
1
What is TCP Damping
❒ TCP
❍ The dominant transport layer protocol
➘ used by SMTP, HTTP, SSH, etc.
❍ Efficient communication for reliable delivery
➘ Sender control
❒ TCP Damping
❍ Make TCP communication less efficient
➘ Increase sending time
➘ Consume more bandwidth
➘ Consume more CPU cycles
❍ Give receiver control over the efficiency
❍ Require modifications only at recipient side
2
Anti-SPAM System with TCP Damping
❒ Components
❍ Mechanism for controllable damping
❍ Spaminess estimation for selectively apply damping
❒ Anti-spam
❍ Selectively damping TCP connections based on their spaminess
➘ low pain on receivers and legitimate senders
➘ high aggregated pain to spammers
❍ Help ISP to identify spam connections
➘ creating traffic anomaly
❍ Resist spam at delivery time
3
Resisting at Delivery Time
❒ Why at delivery time
❍ Compare to passive filters
➘ actively resist spam
❍ Compare to actions prior delivery
➘ receiver control
❍ Compare to “revenge” after delivery
➘ easy to justify the “attack”
4
Why Damping at TCP Layer
Network
Applications
Applications
SMTP Sender
SMTP Receiver
Applications
Applications
X
Socket
Socket layer
layer
TCP
TCP
Socket
Socket layer
layer
X
rcv_sock_buf
TCP
TCP
IP
IP
IP
IP
Physical
Physical
❒ An end-to-end issue
❍ Layers below TCP can help but
can’t solve it
Physical
Physical
❒ Sender gets no pain
❍ Keep pushing until rcv_sock_buf
is filled up
❍ Spam messages are small
❒ Application can choose to pause
❍ Delay reading from socket buffer
❍ Hope to delay the sender
❒ We can fight back at TCP layer
5
TCP Damping Mechanisms
❒ Increase sending time
❍ delaying TCP packets
❒ Consume network bandwidth
❍ Requesting more packets
❒ Consume CPU cycles
❍ Send back corrupted packets
6
Damping via Delay
Seq=X
, 1KB d
ata
❍ Set adv_win = 0
❍ Faking congestion
K
adv = 63
,
K
1
+
S
X
ACeKq==X, 1KB
data
❍ Delay outgoing ACKs
Delay
Timeout
❒ Delay can be achieved by
Seq=X
, 1KB d
ata
= 63K
v
d
a
,
K
1
ACK=X+
➘ Timeout could happen
➘ TCP connection terminates after
at least 14 retries
❒ Cost at receiver side
❍ Long idle TCP connection
7
Damping via Bandwidth Cost
❒ More packets per message
❍ Request more data packets
➘ Request retransmissions
ta
1Byte da
,
2
+
A
=
Seq
ata
, 1Byte d
1
+
A
=
Seq
ta
1Byte da
Seq=A,
❍ Request more ACKs
➘ out-of-order packets
❧ sends packets in reverse order
➘ resend “old” packets
❧ reuse sequence (SYN+)
Future
Sequence
Valid
Sequence
➘ use “future” packets
❧ sequence that won’t be used by
this connection.
❒ Cost
❍ About 1:1 ratio for packets on each way
8
Control TCP Damping
❒ Control the damping impact
❍ spam filters estimate the spaminess
❍ Use spaminess to drive the damping factor
❒ Apply spam filter (SpamAssassin) at the delivery time
❍ heuristics rules during early SMTP conversation
❍ Body-based rules before “250 Message Accepted for Delivery”
9
Summary
❒ TCP Damping
❍ A cost approach within the current SMTP structure.
❍ Cost is in forms of delay and bandwidth
❍ Resisting Spam at delivery time
❍ Require only receiver side modification
❒ Challenges and future work
❍ More TCP damping mechanisms
➘ low overhead
➘ avoid congestion
❍ Incentives for deployments
10