17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days)
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 30705 Δ t < 2 days
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 30705 1972 Δ t < 2 days Δ t ≥ 2 days
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 971 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days
17 RBL comparison (2 month period) 100000 ains 10000 ber of detected dom 1000 100 10 1 0 10 20 30 40 50 60 70 80 Num Detection in advance (days) 949 971 1105 1154 30705 1972 Δ t < 2 days Δ t ≥ 2 days
18 RBL comparison (9 month period) Number of detected domains 10000 1000 100 10 1 0 20 40 60 80 100 120 140 160 180 Detection in advance (days) 205 1305 57724 6710 Δ t < 2 days Δ t ≥ 2 days
19 SURFnet evaluation daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates
20 SURFnet evaluation daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates
20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates
• 45% of received emails fall in this category 20 • 18% of observed domains fall in this category SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates Δ t < 2 days
• 17% of received emails fall in this category 20 • 26% of observed domains fall in this category SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates Δ t ≥ 2 days
• 38% of received emails fall in this category • 57% of observed domains fall in this category 20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates ? domain not on existing blacklist yet
• 59% of these emails have not been marked as spam • 41% of emails were received in the purple areas 20 SURFnet evaluation daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates
Use case: DDoS domains
In DDoS attacks the amplification factor is important. Domains crafted for DDoS attacks typically have: • Many records • Long (TXT) records 21 DDoS domains
In DDoS attacks the amplification factor is important. Domains crafted for DDoS attacks typically have: • Many records • Long (TXT) records 21 DDoS domains
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Possible methodology could be: 1. Filter domains with more than average number of records, or longer than average TXT record 2. Gather the records for the past X days 3. Determine trend lines 4. Predict the size of the domain, say, ten days from now 5. Flag the domain if the predicted size is above a certain threshold 22 Lifetime of a DDoS domain 4000 A NS 3500 SOA Estimated ANY size (bytes) 3000 TXT 2500 Attacks observed 2000 1500 1000 500 0 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 - - - - - - - - 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2
Use case: DNS TXT records
• 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date
• 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date
• 1.2% falls in the ‘other’ category 23 • Majority of TXT records are related to email (~70%) DNS TXT records 80 M Crypto Coins 70 M Email TXT records Number of Encoded 60 M Miscellaneous 50 M Other 40 M Patterns Verification 30 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date
One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records
One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records
One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records
One of the hightlights of this ‘other’ category is single character records. • More than 278K TXT records consisting of a single charcter • Majority contains a ~ • Almost all of these domains are hosted in the same AS 24 DNS TXT records
25 DNS TXT records
• Generally, no Are these records useful for threat detection? • The ‘~’; case could be an identifier for domains from a specific AS 26 DNS TXT records
Use case: Combo-squat domains
Many types of squatting domains: Type Example (target: utwente.nl) Typosquatting utwent.nl Combosquatting utwente-login.nl Bitsquatting utwenpe.nl Homograph-Based squatting utvvente.nl 27 Combo-squat: What is a combo-squat domain?
We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?
We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?
We started out by developing a general machine-learning based detection model. Feeding the detection model a list of trademarks worked a lot better! Trademark Number of domains Apple 8751 Paypal 1241 Microsoft 711 28 Combo-squat: A general approach?
29 However, a larger problem is the life time of a combosquat domain. Combo-squat: The problems with a generic approach
29 However, a larger problem is the life time of a combosquat domain. Combo-squat: The problems with a generic approach
Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases
Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases
Where it works: • Snowshoe spam domains Where it might work: • DDoS Domains • Malicious TXT records Where it doesn’t work: • Combo-squat domains 30 Use cases
Reflection
What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection
What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection
What have we learned from these use cases? • The data needs to contain hints • This approach works for relatively long setup times (in our case >1d) 31 Reflection
32 We realize that our solution is not perfect. Improvement?
We think the “ultimate” solution is to combine passive and active measurements. We realize that our solution is not perfect. 32 Improvement?
Recommend
More recommend