Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck
Overview Domain Abuse • Domain names represent valuable Internet resources • Domain abuse – Spam contains URLs leading to scam sites Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site • Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com 2 ¡
Overview Spammers Exploit Domains • More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect 3 ¡
Overview Motivation: Early Detection Pre-attack Post-attack Spam content filtering IP blacklisting URL crawling Domain Attack DNS traffic analysis etc. registration (Spamming) – Most research focuses on activities after spam is sent Problem: Window left for spam dissemination and monetization – Ultimate goal: Detect spammer domains at time-of- registration rather than later at time-of-use 4 ¡
Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary 5 ¡
Background Domain Registration Process Database Update Registry (e.g., Verisign ) manages registration database Registrar (e.g., GoDaddy ) brokers registrations Top-level nameservers Registrant 6 ¡
Background Life Cycle Chart Renew Pending Auto-Renew Redemption Active Available Available Delete Grace Grace (1-10 years) (5 days) (45 days) (30 days) Re-registration 7 ¡
Background Data Collection Pre-attack Post-attack Domain Attack registration (Spamming) 1 2 What domains Whether the domains newly registered were used in spamming in .com zone activities after registration 8 ¡
Background Data Statistics 1 • Verisign . com domain registrations over 5 months – 12,824,401 new .com domains during March – July, 2012 – Epoch : Zone file updates every 5 minutes – Registration information • Registrars • Nameservers • Registration history 2 • Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March – October, 2012 (8 months) 9 ¡
Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion 10 ¡
Infrastructure Registrars Hosting Spammer Domains • Question : What registrars do spammers choose to register domains? The registrars ranked by the percentages of spammer domains Registrar Spam % 27.03% 1 eNom, Inc. 2 Moniker Online Services, Inc. 19.01% Spammer All domains added 4.47% 3 Tucows.com Co. to the zone domains 70% 20% 8 OnlineNIC, Inc. 2.13% 9 Center of Ukrainian Internet Names 2.07% 1.89% 10 Register.com, Inc. • Confirmation* : A handful of registrars account for the majority of spammer domains * Levchenko, ¡K. ¡ et ¡al . ¡Click ¡Trajectories: ¡End-‑to-‑End ¡Analysis ¡of ¡the ¡Spam ¡Value ¡Chain. ¡ ¡ ¡ 11 ¡ ¡ ¡ ¡In ¡Proceedings ¡of ¡the ¡IEEE ¡Symposium ¡and ¡Security ¡and ¡Privacy, ¡2011 ¡
Infrastructure Spam Proportions on Registrars • Question : Do registrars only host spammer domains? 10^7 Tucows.com Co. Non − spammer domain counts (log scale) GoDaddy.com, LLC PDR eNom, Inc. Ltd. d/b/a 10^6 PublicDomainRegistry.com Register.com, Inc. Moniker Online 10^5 Services, Inc. • Finding : INTERNET.bs Corp. Spammer Bizcn.com, Inc. 10^4 primarily use OnlineNIC, Inc. Trunkoz Technologies popular 1000 Pvt Ltd. d/b/a OwnRegistrar.com registrars Center of 100 Ukrainian Internet Names 10 ABSystems Inc 0 0 10 100 1000 10^4 10^5 10^6 10^7 12 ¡ Spammer domain counts (log scale)
Infrastructure Authoritative Nameservers • Question : Do spammers use particular nameservers? Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc • Finding : Spammers often use the nameservers provided by the registrars 13 ¡
Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary 14 ¡
Spike Pattern An Example of Bulk Registration • Question : Do spammers register domains in groups? New spammer domains every New domains 5 minutes every 5 minutes • Domains registered by eNom every 5 minutes in March 5 th , 2012 15 ¡
Spike Pattern Distribution of Spammer Domain Registration • Distribution of the number of spammer domains registered within the same registrar and epoch Only 20% of the spammer domains got registered in isolation • Finding : Spammers perform registrations in batches 16 ¡
Spike Pattern Modeling Registration Batch Size • Question : How to identify “abnormally large” registration batches ? • Build hourly model to fit diurnal patterns • Compound Poisson to represent the customer Spike: purchase behaviors low probability eNom, Inc. , hourly window, 10AM–11AM ET 17 ¡
Spike Pattern Registrations in Spikes Spammer domains All domains in spikes in spikes 42% 15% • Finding : Spammer domains appear in spikes with a much higher likelihood 18 ¡
Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion 19 ¡
Life Cycle Life Cycle Categories Renew Pending Auto-Renew Redemption Active Available Available Delete Grace Grace (1-10 years) (5 days) (45 days) (30 days) Re-registration • Brand-new – The domain has never appeared in the zone before • Re-registration – The domain has previously appeared in the zone • Drop-catch : re-registered immediately after its release • Retread : some time elapses between a domain’s prior deletion and its re-registration 20 ¡
Life Cycle Prevalence of Different Categories • Question : What type of domains is more likely being used in spam? Conditional probability of being a spammer domain Re-registration Brand-new Drop-catch Retread 1.01% 0.33% 1.34% In spikes 2.61% 0.37% 4.48% • Finding : Spammers commonly re-register expired domains, especially when performing bulk registrations 21 ¡
Life Cycle Malicious Activities before Retread • Question : Do spammers re-register previous spammer domains? • Introspect with spam trap and blacklists before the re- registration time ( October 2011 – February 2012 ) – Only 6.8% had appeared in a blacklist before re-registration • Finding : Spammers re-register expired domains with clean histories 22 ¡
Life Cycle Dormancy before Retread • Question : How long is between deletion and re-registration? 65% of retread spammer domains were deleted less than 90 days before • Finding : Spammers have a trend to re-register domains that expired more recently 23 ¡
Summary Takeaways • Positive actions from specific registrars could have significant impact in impeding spammer domain registrations • Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches • In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history 24 ¡
Summary Summary • We studied the fine-grained domain registration of . com zone over a 5-month period • Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones • Next steps – Develop a detector against spammer domains at registration time – Investigate further the reasons of spammer registration strategies http://www.cc.gatech.edu/~shao 25 ¡
Recommend
More recommend