detecting and preventing dns abuse in · ›domain names are often abused by cyber criminals spam,...
TRANSCRIPT
![Page 2: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/2.jpg)
Malicious use of domain names
› Domain names are often abused by cyber criminalsSpam, botnet C&C infrastructure, phishing, malware, …
› To avoid blacklisting, malicious actors often deploy a hit-and-run strategy
60% are only active for 1 day after registration [Hao et al]
2
[Hao et al] “Understanding the Domain Registration Behavior of Spammers” IMC 2013
![Page 3: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/3.jpg)
Research hypothesis:
“Malicious actors register domains in bulk, and do so for longer periods of time.”
![Page 4: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/4.jpg)
The .eu trust strategy
› Delayed delegationPredict at time of registration whether a domain name will be used abusively
![Page 5: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/5.jpg)
Insights in malicious domain registrations
T. Vissers et al., Exploring the ecosystem of malicious domain registrations in the .eu TLD,
Research in Attacks, Intrusions, and Defenses (RAID 2017), September 2017.
https://link.eurid.eu/prediction1
![Page 6: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/6.jpg)
Activity of identified campaigns
6
●●●●●● ● ●● ● ●●●●●●●●●●●●● ●● ●● ●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●
●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●● ●●●●●● ● ● ● ●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●
●●● ● ●● ● ● ●● ● ● ●● ●●●●●●●
● ●
●● ● ●●●● ● ● ●● ● ●● ● ● ● ● ● ● ● ● ●
●●● ●●●●●●●●● ●●● ●●● ●●●●●●
● ● ● ● ●●●●● ●●●●●●●●●●●●●●●●●●● ●●● ●● ●● ● ●●●●● ●●●●● ● ●●●●●●●●●●●●●●●●●● ●●●●●●●
●● ●●● ● ● ● ● ● ● ●●●●●●● ● ●●● ●● ● ●
●●● ● ●● ●●● ●●●●●●●●●● ●●●● ● ●●●●●●● ●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●
●●●●●●● ● ●● ●●●●●●●●●● ● ●
● ● ● ●● ● ●●●●●●●●●● ● ●●●●●●●● ●●●●●●●● ● ●●●●●●● ● ●● ●● ●●●●●●●●●●●●●●●●●●●●●● ●●●●●● ●●● ●●●●●●●●●●● ●● ●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●● ● ●●●●●●●●●●●● ●●● ● ●
●● ● ●●● ●● ●● ● ● ● ●●●●● ●● ●●● ●●●● ● ● ● ●●●●●● ● ●●●●● ●● ● ●
● ●●●●●●●● ● ●●●●●●●●●●●●●● ●●●●●●●●●●●● ●●●●●●●● ●●●●●●●
● ●●●●●●●●●●● ● ●●● ●●●●●
●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●● ●●●●●●●●●●●●●●●●●●●●●●●
879133317151672 177 194 93 324
1624 125
1275 490 154 989 514 842 283
1291 752
1978
TOTAL MALICIOUS REGISTRATIONS:
c_20c_19c_18c_17c_16c_15c_14c_13c_12c_11c_10c_09c_08c_07c_06c_05c_04c_03c_02c_01
Apr2015
May2015
Jun2015
Jul2015
Aug2015
Sep2015
Oct2015
Nov2015
Dec2015
Jan2016
Feb2016
Mar2016
Apr2016
May2016
Jun2016
Cam
paig
ns
Registrations per day ● ● ● ●100 200 300 400
![Page 7: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/7.jpg)
Insight 1: Varying campaign characteristics
› Simple campaign (c_14)
› Single (fake) registrant used
throughout the campaign
• 41 days active
• 989 blacklisted registrations(= 95.37%)
![Page 8: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/8.jpg)
Example campaign (c_11)
› Multiple fake registrant details Combinations of
2 email accounts, 3 phone numbers, 4 street addresses
8
• 8 months active
• 1,275 blacklisted registrations(= 53.96%)
![Page 9: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/9.jpg)
Example of an advanced campaign (c_15)
› Registrant details:
98 fake registrants
Generated by Laravel Faker tool
› Domain names:
Consist out of 2-3 Dutch words
Dutch words are reused across
registrants
› Batches of 8, 16, 24 or 32
registrations
9
• 8+ months active
• 514 blacklisted registrations(= 26.95%)
![Page 10: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/10.jpg)
Insight 2: Small set of malicious actors●●●●●● ● ●● ● ●●●●●●●●●●●●● ●● ●● ●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●
●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●● ●●●●●● ● ● ● ●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●
●●● ● ●● ● ● ●● ● ● ●● ●●●●●●●
● ●
●● ● ●●●● ● ● ●● ● ●● ● ● ● ● ● ● ● ● ●
●●● ●●●●●●●●● ●●● ●●● ●●●●●●
● ● ● ● ●●●●● ●●●●●●●●●●●●●●●●●●● ●●● ●● ●● ● ●●●●● ●●●●● ● ●●●●●●●●●●●●●●●●●● ●●●●●●●
●● ●●● ● ● ● ● ● ● ●●●●●●● ● ●●● ●● ● ●
●●● ● ●● ●●● ●●●●●●●●●● ●●●● ● ●●●●●●● ●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●
●●●●●●● ● ●● ●●●●●●●●●● ● ●
● ● ● ●● ● ●●●●●●●●●● ● ●●●●●●●● ●●●●●●●● ● ●●●●●●● ● ●● ●● ●●●●●●●●●●●●●●●●●●●●●● ●●●●●● ●●● ●●●●●●●●●●● ●● ●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ●●●●● ● ●●●●●●●●●●●● ●●● ● ●
●● ● ●●● ●● ●● ● ● ● ●●●●● ●● ●●● ●●●● ● ● ● ●●●●●● ● ●●●●● ●● ● ●
● ●●●●●●●● ● ●●●●●●●●●●●●●● ●●●●●●●●●●●● ●●●●●●●● ●●●●●●●
● ●●●●●●●●●●● ● ●●● ●●●●●
●● ●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●● ●●●●●●●●●●●●●●●●●●●●●●●
879133317151672 177 194 93 324
1624 125
1275 490 154 989 514 842 283
1291 752
1978
TOTAL MALICIOUS REGISTRATIONS:
c_20c_19c_18c_17c_16c_15c_14c_13c_12c_11c_10c_09c_08c_07c_06c_05c_04c_03c_02c_01
Apr2015
May2015
Jun2015
Jul2015
Aug2015
Sep2015
Oct2015
Nov2015
Dec2015
Jan2016
Feb2016
Mar2016
Apr2016
May2016
Jun2016
Cam
paig
ns
Registrations per day ● ● ● ●100 200 300 400
10At most 20 actors represent 80% of malicious registrations
![Page 11: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/11.jpg)
Insight 3: Top facilitators for malicious registrations
11
![Page 12: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/12.jpg)
Insight 4: Some campaigns align with regular business activity patterns (1)
12
0.000
0.005
0.010
0.015
Apr 06 Apr 13 Apr 20 Apr 27
Dai
ly s
hare
of r
egis
tratio
ns
Malicious registrations All registrations
![Page 13: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/13.jpg)
Insight 4: Some campaigns align with regular business activity patterns (2)
13
2
4
6
8
Apr 2015 Jul 2015 Oct 2015 Jan 2016 Apr 2016
Perc
enta
ge o
f mal
iciou
s re
gist
ratio
ns
![Page 14: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/14.jpg)
Insight 4: Some campaigns align with regular business activity patterns (3)
14
![Page 15: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/15.jpg)
Registration-time prediction of malicious intent
J. Spooren et al., PREMADOMA: An Operational Solution for DNS Registries to Prevent Malicious Domain Registrations, Annual Computer Security Applications Conference (ACSAC 2019), December 2019.
https://link.eurid.eu/prediction4
![Page 16: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/16.jpg)
Pro-active detection and prevention
16
New
registration
Previous registrations for whichthe results (abuse/no abuse) is known
For each new registration,the system predicts if the domainwill be used for malicious activity
Domains with malicious intent can be- Detected early- Delayed- Prevented from being registeredPrediction Model
predictor
DailyTraining
Previousregistrations
![Page 17: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/17.jpg)
Underlying assumptions/rationales for our predictors
› Similarity-based agglomerative clusteringDomains belonging to the same campaign have very similar registration details
› Reputation-based classificationDomains using registration facilitators with a bad reputation (e.g. email providers or registrars), are likely to be malicious as well
17
![Page 18: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/18.jpg)
Predictor 1:Reputation-based classification› Reputation features of “facilitators”
› Facilitators: Technical facilitators: registrar, name servers
Communication means: email provider and phone number
› Reputation score:Represent contribution and toxicity of facilitator to malicious registrations
18
![Page 19: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/19.jpg)
A B C
CLUSTER
BENIGN MALICIOUS NEWREGISTRATIONS:
› Agglomerative clustering of malicious samples
› Based on the similarity of registration data
19
Predictor 2:Similarity-based clustering
?
?
![Page 20: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/20.jpg)
› Closest distance of a registration to malicious domain
20
Can we differentiate between benign and malicious samples?
benignm
alicious
0.0 0.1 0.2 0.3 0.4
0
10000
20000
0100020003000
Minimum distance to a malicious instance
Nb
of re
gist
ratio
ns
![Page 21: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/21.jpg)
Evaluation on historical data
› Ground truth-based evaluationRecall: 66.23%
Precision: 84.57
False positive rate: 0.30%
› Campaign-based evaluation17 out of the 20 campaigns are well predicted
21
![Page 22: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/22.jpg)
Detecting and preventing abuse in .eu: “1 picture …”
22
0
2000
4000
Jul 2017 Jan 2018 Jul 2018 Jan 2019
Pred
ictio
n of
bla
cklis
ted
regi
stra
tions
![Page 23: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/23.jpg)
23
As part of the EURid’s Trust & Security program, 58,966 domains were suspended in 2018.
![Page 24: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/24.jpg)
Operational results
› Period: July 2017 – December 2018 (18 months)Recall: 85.51%
Precision: 72.04%
False positive rate: 2.86%
› Very big campaigns (October 2017 - March 2018)
› Incomplete ground truth
24
![Page 25: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/25.jpg)
Ground truth analysis
T. Vissers et al., Assessing the Effectiveness of Domain Blacklisting Against Malicious DNS Registrations, IEEE Workshop on Traffic Measurements for Cybersecurity (WTMC 2019),
May 2019.
https://link.eurid.eu/prediction3
![Page 26: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/26.jpg)
Sources of ground truth
› Around 60K domains to check per day
› Simplified view: once on a abuse list, always considered malicious
26
![Page 27: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/27.jpg)
Types of abuse recorded
› Majority of abuses are related to spam (93.68%)
› Different coverage statistics per abuse list for .eu:
Spamhaus DBL: 81.07%
SURBL multi list: 50.04%
Google Safe Browsing: 1.81%
27
Registration period: Apr 2015 – May 2016
![Page 28: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/28.jpg)
Delay of the ground truth
28
![Page 29: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/29.jpg)
Incompleteness of the blacklists
› Failed to detect?
› Never active/malicious?
29
Active DormantBlacklisted Blocked Pro-actively blockedNon-blacklisted Missed Unused
![Page 30: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/30.jpg)
30
Campaign related activity
› E.g. spam triggers multiple DNS requests:SPF, DMARC, DKIM, MX, A
![Page 31: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/31.jpg)
Active vs Dormant – Blacklisted vs Non-blacklisted
› 5 largest campaigns in .eu (Q1-Q2 2018)
› Based on passively-logged DNS requests (.eu TLD server)
![Page 32: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/32.jpg)
1. Registration strategy
32
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered
Bulk registrationB
E
![Page 33: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/33.jpg)
1. Registration strategy
33
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered
Continuous registrationA
C D
![Page 34: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/34.jpg)
2. Deployment strategy (thin line)
34
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered Deployed
Continuous deploymentA
C D
![Page 35: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/35.jpg)
2. Deployment strategy (thin line)
35
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered Deployed
Gradual deployment, although registered in bulk
B
![Page 36: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/36.jpg)
3. Domain blacklisting (dotted line)
36
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered Blacklisted Deployed
Reactive blacklistingA
C D
![Page 37: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/37.jpg)
3. Domain blacklisting (dotted line)
37
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered Blacklisted Deployed
Blacklisting in batch
![Page 38: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/38.jpg)
3. Domain blacklisting (dotted line)
38
0
1000
2000
3000
Jan Feb Mar Apr May
Num
ber o
f dom
ains
Campaign A B C D E Registered Blacklisted Deployed
Pro-active blacklisting
B E
![Page 39: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/39.jpg)
Key takeaways
39
![Page 40: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/40.jpg)
Rather small set of bad actors
› Up to 20 campaigns are responsible for 80% of malicious
registrations
› Top facilitators:About half of the malicious registrations via 1 registrar
1 public email provider are malicious with a high toxicity
40
![Page 41: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/41.jpg)
Registration-time detection and prevention
› Two prediction models predict at registration-time the malicious intent
› Captures the majority of malicious domain registrations
› Incompleteness of ground truth makes analysis hard
› Interesting to see how this will further impact the security landscape
41
![Page 42: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/42.jpg)
Attackers vs Defenders
› Ground truth is (somewhat) trickyBias towards spamDelay in labeling“Incompleteness”
› 2 different ecosystems: abusive registrationabusive activity
› Interesting to see how it will further impact the abuse landscape
42
![Page 43: Detecting and preventing DNS abuse in · ›Domain names are often abused by cyber criminals Spam, botnet C&C infrastructure, phishing, malware, … ›To avoid blacklisting, malicious](https://reader034.vdocuments.site/reader034/viewer/2022042708/5f3abaccbe2bea666277e820/html5/thumbnails/43.jpg)
Interested in more? Some reading material…
43
https://link.eurid.eu/prediction1 https://link.eurid.eu/prediction2 https://link.eurid.eu/prediction3 https://link.eurid.eu/prediction4
https://link.eurid.eu/prediction[1-4]