understanding the domain registration behavior of spammers
play

Understanding the Domain Registration Behavior of Spammers Shuang - PowerPoint PPT Presentation

Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck Overview Domain Abuse Domain names represent valuable Internet resources


  1. Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck

  2. Overview Domain Abuse • Domain names represent valuable Internet resources • Domain abuse – Spam contains URLs leading to scam sites Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site • Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com 2 ¡

  3. Overview Spammers Exploit Domains • More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect 3 ¡

  4. Overview Motivation: Early Detection Pre-attack Post-attack Spam content filtering IP blacklisting URL crawling Domain Attack DNS traffic analysis etc. registration (Spamming) – Most research focuses on activities after spam is sent Problem: Window left for spam dissemination and monetization – Ultimate goal: Detect spammer domains at time-of- registration rather than later at time-of-use 4 ¡

  5. Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary 5 ¡

  6. Background Domain Registration Process Database Update Registry (e.g., Verisign ) manages registration database Registrar (e.g., GoDaddy ) brokers registrations Top-level nameservers Registrant 6 ¡

  7. Background Life Cycle Chart Renew Pending Auto-Renew Redemption Active Available Available Delete Grace Grace (1-10 years) (5 days) (45 days) (30 days) Re-registration 7 ¡

  8. Background Data Collection Pre-attack Post-attack Domain Attack registration (Spamming) 1 2 What domains Whether the domains newly registered were used in spamming in .com zone activities after registration 8 ¡

  9. Background Data Statistics 1 • Verisign . com domain registrations over 5 months – 12,824,401 new .com domains during March – July, 2012 – Epoch : Zone file updates every 5 minutes – Registration information • Registrars • Nameservers • Registration history 2 • Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March – October, 2012 (8 months) 9 ¡

  10. Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion 10 ¡

  11. Infrastructure Registrars Hosting Spammer Domains • Question : What registrars do spammers choose to register domains? The registrars ranked by the percentages of spammer domains Registrar Spam % 27.03% 1 eNom, Inc. 2 Moniker Online Services, Inc. 19.01% Spammer All domains added 4.47% 3 Tucows.com Co. to the zone domains 70% 20% 8 OnlineNIC, Inc. 2.13% 9 Center of Ukrainian Internet Names 2.07% 1.89% 10 Register.com, Inc. • Confirmation* : A handful of registrars account for the majority of spammer domains * Levchenko, ¡K. ¡ et ¡al . ¡Click ¡Trajectories: ¡End-­‑to-­‑End ¡Analysis ¡of ¡the ¡Spam ¡Value ¡Chain. ¡ ¡ ¡ 11 ¡ ¡ ¡ ¡In ¡Proceedings ¡of ¡the ¡IEEE ¡Symposium ¡and ¡Security ¡and ¡Privacy, ¡2011 ¡

  12. Infrastructure Spam Proportions on Registrars • Question : Do registrars only host spammer domains? 10^7 Tucows.com Co. Non − spammer domain counts (log scale) GoDaddy.com, LLC PDR eNom, Inc. Ltd. d/b/a 10^6 PublicDomainRegistry.com Register.com, Inc. Moniker Online 10^5 Services, Inc. • Finding : INTERNET.bs Corp. Spammer Bizcn.com, Inc. 10^4 primarily use OnlineNIC, Inc. Trunkoz Technologies popular 1000 Pvt Ltd. d/b/a OwnRegistrar.com registrars Center of 100 Ukrainian Internet Names 10 ABSystems Inc 0 0 10 100 1000 10^4 10^5 10^6 10^7 12 ¡ Spammer domain counts (log scale)

  13. Infrastructure Authoritative Nameservers • Question : Do spammers use particular nameservers? Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc • Finding : Spammers often use the nameservers provided by the registrars 13 ¡

  14. Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary 14 ¡

  15. Spike Pattern An Example of Bulk Registration • Question : Do spammers register domains in groups? New spammer domains every New domains 5 minutes every 5 minutes • Domains registered by eNom every 5 minutes in March 5 th , 2012 15 ¡

  16. Spike Pattern Distribution of Spammer Domain Registration • Distribution of the number of spammer domains registered within the same registrar and epoch Only 20% of the spammer domains got registered in isolation • Finding : Spammers perform registrations in batches 16 ¡

  17. Spike Pattern Modeling Registration Batch Size • Question : How to identify “abnormally large” registration batches ? • Build hourly model to fit diurnal patterns • Compound Poisson to represent the customer Spike: purchase behaviors low probability eNom, Inc. , hourly window, 10AM–11AM ET 17 ¡

  18. Spike Pattern Registrations in Spikes Spammer domains All domains in spikes in spikes 42% 15% • Finding : Spammer domains appear in spikes with a much higher likelihood 18 ¡

  19. Outline Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion 19 ¡

  20. Life Cycle Life Cycle Categories Renew Pending Auto-Renew Redemption Active Available Available Delete Grace Grace (1-10 years) (5 days) (45 days) (30 days) Re-registration • Brand-new – The domain has never appeared in the zone before • Re-registration – The domain has previously appeared in the zone • Drop-catch : re-registered immediately after its release • Retread : some time elapses between a domain’s prior deletion and its re-registration 20 ¡

  21. Life Cycle Prevalence of Different Categories • Question : What type of domains is more likely being used in spam? Conditional probability of being a spammer domain Re-registration Brand-new Drop-catch Retread 1.01% 0.33% 1.34% In spikes 2.61% 0.37% 4.48% • Finding : Spammers commonly re-register expired domains, especially when performing bulk registrations 21 ¡

  22. Life Cycle Malicious Activities before Retread • Question : Do spammers re-register previous spammer domains? • Introspect with spam trap and blacklists before the re- registration time ( October 2011 – February 2012 ) – Only 6.8% had appeared in a blacklist before re-registration • Finding : Spammers re-register expired domains with clean histories 22 ¡

  23. Life Cycle Dormancy before Retread • Question : How long is between deletion and re-registration? 65% of retread spammer domains were deleted less than 90 days before • Finding : Spammers have a trend to re-register domains that expired more recently 23 ¡

  24. Summary Takeaways • Positive actions from specific registrars could have significant impact in impeding spammer domain registrations • Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches • In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history 24 ¡

  25. Summary Summary • We studied the fine-grained domain registration of . com zone over a 5-month period • Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones • Next steps – Develop a detector against spammer domains at registration time – Investigate further the reasons of spammer registration strategies http://www.cc.gatech.edu/~shao 25 ¡

Recommend


More recommend