remedi3s-tld: reputation metrics design to improve ... · design to improve intermediary incentives...
TRANSCRIPT
![Page 1: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/1.jpg)
REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs
A project in collaboration with SIDN and NCSC
Maciej Korczyński Delft University of Technology Contact: [email protected] ICANN 54 Techday 19 October 2015, Dublin
![Page 2: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/2.jpg)
REMEDI3S-TLD
![Page 3: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/3.jpg)
REMEDI3S-TLD
![Page 4: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/4.jpg)
REMEDI3S-TLD
![Page 5: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/5.jpg)
REMEDI3S-TLD
![Page 6: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/6.jpg)
Agenda
• Types of security metrics
• Security metrics for TLDs
• Security metrics for hosting providers
• Discussion
![Page 7: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/7.jpg)
Types of security metrics
• Different layers of security metrics:
• Top Level Domains (TLDs)
• Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers
• Network resources managed by each of the players, such as resolvers, name servers
![Page 8: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/8.jpg)
Security metrics for TLDs
![Page 9: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/9.jpg)
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
![Page 10: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/10.jpg)
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
• Size matters!
![Page 11: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/11.jpg)
• Type of reputation metrics (example)
Security metrics for TLDs
![Page 12: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/12.jpg)
• Type of reputation metrics
• Up-times of maliciously registered/compromised domains
Security metrics for TLDs
![Page 13: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/13.jpg)
Security metrics for hosting providers
![Page 14: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/14.jpg)
Security metrics for hosting providers
1. Count badness per AS across different data sources
2. Normalize for the size of the AS (in 3 ways)
Abuse Feeds
p-‐DNS / IP Rou3ng
• Shadow Server Compromise • Shadow Server Sandbox URL • Zeustracker C&Cs • MLAT requests • APWG • StopBadware • …
# Advertised IPs # IPs in p-‐DNS # Domains Hosted
Abuse Mapping
Size Mapping
• Farsight Security p-‐DNS Data • Internet IP RouLng Data
# Unique Abuse / AS
Abuse Maps PhishTank AS#1 ß à 100 AS#2 ß à 200
MLAT AS#1 ß à 50 AS#2 ß à 73
Size Maps AdverLsed IPs AS#1 ß à 256 AS#2 ß à 1024
Domains Hosted AS#1 ß à 23 AS#2 ß à 1232
Normaliza3on
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
• # Abuse / Size
![Page 15: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/15.jpg)
3. Rank ASes on amount of badness
4. Aggregate rankings
5. Identify ASes with consistently high concentrations of badness
Rank
Abuse Ranking
PhishTank Ranking 1 AS#1 ß à 834 AS#2 ß à 833
PhishTank Ranking 2 AS#1 ß à 834 AS#2 ß à 833
MLAT Ranking 1 AS#1 ß à 235 AS#2 ß à 234
MLAT Ranking 2 AS#1 ß à 235 AS#2 ß à 234
Combine Ranks
Sort Rank High à Low Borda Count
Overall Ranking Borda Count Ranking AS#1 ß à 2354 AS#2 ß à 1834 AS#3 ß à 1542 AS#4 ß à 1322
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
Security metrics for hosting providers
![Page 16: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/16.jpg)
Practical application
• “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by
• promoting best practices and awareness
• pressuring the rotten apples
![Page 17: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/17.jpg)
Discussion
• Compare your TLD against the market
• Driving factors (why the attackers are more interested in certain types of domains?)
• Let us know about policy changes, pricing
![Page 18: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/18.jpg)
Discussion
• Limitations: metrics for smaller TLDs are more sensitive to individual security incidents
• Abuse handling initiatives
![Page 19: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/19.jpg)
Discussion
• Limited access to:
• Domain WHOIS (classifier between maliciously registered and legitimate domains, metrics for registrars)
• Datasets, e.g. shadow server reports
• Feedback
![Page 20: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/20.jpg)
ACKNOWLEDGEMENTS
The research leading to these results was funded by SIDN (www.sidn.nl) Many thanks to: Cristian Hesselman (SIDN Labs), Paul Vixie (Farsight Security), and Thorsten Kraft (Cyscon)
![Page 21: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/21.jpg)
Contact information: Maciej Korczyński Delft University of Technology [email protected]
![Page 22: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/22.jpg)
• Type of reputation metrics
Security metrics for TLDs
![Page 23: REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński](https://reader034.vdocuments.site/reader034/viewer/2022042306/5ed1c8168ab2ad16625171a9/html5/thumbnails/23.jpg)