DOCSLIB.ORG

Proactive Cyberfraud Detection Through Infrastructure Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Proactive Cyberfraud Detection Through Infrastructure Analysis PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Andrew J. Kalafut Submitted to the faculty of the Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in Computer Science Indiana University July 2010 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements of the degree of Doctor of Philosophy. Doctoral Minaxi Gupta, Ph.D. Committee (Principal Advisor) Steven Myers, Ph.D. Randall Bramley, Ph.D. July 19, 2010 Raquel Hill, Ph.D. ii Copyright c 2010 Andrew J. Kalafut ALL RIGHTS RESERVED iii To my family iv Acknowledgements I would first like to thank my advisor, Minaxi Gupta. Minaxi’s feedback on my research and writing have invariably resulted in improvements. Minaxi has always been supportive, encouraged me to do the best I possibly could, and has provided me many valuable opportunities to gain experience in areas of academic life beyond simply doing research. I would also like to thank the rest of my committee members, Raquel Hill, Steve Myers, and Randall Bramley, for their comments and advice on my research and writing, especially during my dissertation proposal. Much of the work in this dissertation could not have been done without the help of Rob Henderson and the rest of the systems staff. Rob has provided valuable data, and assisted in several other ways which have ensured my experiments have run as smoothly as possible. Several members of the departmental staff have been very helpful in many ways. Specifically, I would like to thank Debbie Canada, Sherry Kay, Ann Oxby, and Lucy Battersby. I would like to thank my co-authors on all the work that has contributed to this dissertation. Material in Chapter 2 [42] is based on work co-authored with Minaxi Gupta. Material in Chap- ter 4 [58] is based on work co-authored with D. Kevin McGrath and Minaxi Gupta. Material in Chapter 5 [41] is based on work co-authored with Minaxi Gupta, Pairoj Rattadilok and Pragneshku- mar Patel. Material in Chapter 6 [40] is based on work co-authored with Minaxi Gupta, Christopher Cole, Lei Chen, and Nathan Myers. Material in Chapter 7 [43] and Chapter 8 [93] is based on work co-authored with Craig Shue and Minaxi Gupta. v My parents, my sister, and my brother have been a great source of support throughout my life, and encouragement in pursuing my education. I am greatful for their support. I would especially like to thank my financ´ee, Heather Goodman, for her love and support. Finally I would like to thank my friends who have helped make life in graduate school more fun and less stressful than it otherwise would have been, especially Craig Shue, Joshua Hursey, Samantha Foley, Alia Al-Kasimi, Eric Nichols, and Abhinav Acharya. vi Andrew J. Kalafut PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Internet users are threatened daily by spam, phishing, and malware. These attacks are often launched using armies of compromised machines, complicating identification of the miscreants behind the attacks. Unfortunately, most current approaches to fight these problems are reactive in nature, allowing significant damage before security measures are adapted to new attacks. For example, blacklisting prevents communications with known malicious hosts, but many users may fall victim to an attack before blacklists are updated. In this dissertation we argue for a proactive approach to fighting cybercrime. Our approach relies on the observation that to avoid attribution and to stay up amidst take-down attempts, miscreants must provision their infrastructure differently than legitimate web sites. Thus, we propose to proactively identify malicious activity using unique characteristics of malicious web site provisioning. Specifically, using near real-time feeds of malicious web hosts, we investigate the extent to which miscreants use five specific provisioning practices. The first three are based on the Domain Name System (DNS), which translates host names to IP addresses. We first examine fast-flux, a practice where the association between name and address changes much more frequently than usual. We then investigate the use of DNS wildcards, which point many host names to a single address. Next, we examine the use of orphan DNS servers, which are DNS servers in non-existent domains. Then, we study the concentration of malicious activity in certain networks. Finally, we examine web redirects, which may appear to be links to legitimate web sites but in reality trick users into visiting malicious sites. We find that although good web sites sometimes make use of some of these techniques, malicious web sites are more likely to use them. Consequently, their presence can be used for proactive identification of malicious web sites. vii Contents Acknowledgements v Abstract vii 1 Introduction 1 1.1 CurrentApproaches ............................... ..... 1 1.2 OurApproach..................................... ... 3 1.3 Organization .................................... .... 4 1.3.1 Background.................................... 5 1.3.2 InfrastructureFeatures. ....... 5 1.3.3 Conclusion .................................... 8 2 Domain Name System 9 2.1 Introduction.................................... ..... 9 2.2 DNSStructure .................................... ... 9 2.3 DNSRecords ...................................... .. 10 2.4 DNSQueryResolution.............................. ..... 11 viii 2.5 DNSContents..................................... ... 12 2.5.1 DataCollection................................ ... 12 2.5.2 RecordTypes................................... 13 2.5.3 NameServerRedundancy . ... 15 2.6 Discussion...................................... .... 16 3 Data Sources 18 3.1 SourcesofBenignHosts .. .. .. .. .. .. .. .. .. .. .. .. ...... 18 3.2 SourcesofNeutralHosts. ....... 19 3.3 SourcesofMaliciousHosts. ........ 20 3.3.1 PhishingSites................................. ... 20 3.3.2 Spam/ScamSites................................ .. 21 3.3.3 SpamSenders................................... 22 3.3.4 ExploitedHosts................................ ... 22 3.3.5 MalwareDistributionHosts . ...... 22 3.3.6 BotCommandandControl . .. 23 4 Fast Flux 24 4.1 Introduction.................................... ..... 24 4.2 DataCollection.................................. ..... 26 4.2.1 OverviewofCollectedData . ..... 27 4.3 DetectingFlux ................................... .... 28 4.3.1 Methodology ................................... 28 4.3.2 ParametersUsed ................................ .. 29 ix 4.4 PrevalenceofFlux ................................ ..... 31 4.4.1 ImpactofParameterSet. .... 32 4.4.2 How Many DNS Resolutions Are Enough? . ..... 33 4.5 FluxandFraudLongevity. ...... 38 4.6 TopFluxers...................................... ... 39 4.6.1 Characteristics of Just-Fast-Flux Networks . ............ 40 4.6.2 Characteristics of Double-Flux Networks . ........... 41 4.7 Discussion...................................... .... 43 5 DNS Wildcards 45 5.1 Introduction.................................... ..... 45 5.2 Background...................................... ... 46 5.3 DataSets ........................................ .. 47 5.4 WildcardPrevalence .............................. ...... 48 5.4.1 WildcardsattheDomainLevel . ..... 49 5.4.2 WildcardsattheSubdomainLevel . ...... 49 5.4.3 OverriddenWildcards . .... 50 5.5 WildcardUsage................................... .... 51 5.5.1 WildcardUsageAmongGoodDomains . .... 52 5.5.2 Wildcard Usage Among a General Collection of Domains . .......... 53 5.5.3 WildcardUsageAmongBadDomains . .... 54 5.6 Identifying Malicious Wildcard Usage . ........... 57 5.6.1 TTLsofWildcardedRecords . .... 58 x 5.6.2 Autonomous Systems Pointed to by Wildcards . ........ 59 5.6.3 HostNamesRepresentedbyWildcards. ....... 61 5.7 Discussion...................................... .... 63 6 Orphan DNS servers 65 6.1 Introduction.................................... ..... 65 6.2 Background...................................... ... 67 6.2.1 DNSBackground................................. 67 6.2.2 OrphanCreation ................................ .. 68 6.3 MethodologyandDataOverview . ....... 69 6.3.1 FindingOrphanDNSServers . .... 69 6.3.2 DataOverview .................................. 71 6.4 CharacteristicsofOrphans. ......... 72 6.4.1 PrevalenceofOrphanDNSServers . ...... 72 6.4.2 DistributionofOrphanDNSServers . ....... 72 6.4.3 LifetimesofOrphanDNSServers. ...... 74 6.5 UsesofOrphans ................................... ... 75 6.5.1 UseasDNSServers ............................... 75 6.5.2 RunningServices............................... ... 76 6.5.3 DomainswiththeMostOrphans . .... 77 6.5.4 MaliciousUsesofOrphans. ..... 78 6.6 Discussion...................................... .... 80 xi 7 Malicious Autonomous Systems 81 7.1 Introduction.................................... ..... 81 7.2 DataCollection.................................. ..... 82 7.2.1 DataSetComparisons . .. .. .. .. .. .. .. .. .. .. .. ... 83 7.3 Degree of Autonomous System Maliciousness . ........... 86 7.3.1 Examination of ASes by Fraction of Advertised IP Space ........... 87 7.3.2 Examination of ASes by Proportionof Data Set . ........ 88 7.3.3 HowLongDoHostsStayInfected?. ..... 91 7.3.4 ASeswithUnrulyChildren . .... 92 7.4 Identifying Malicious Autonomous System . ............ 93 7.4.1 BGPBehavior ................................... 94 7.4.2 ASSizes....................................... 97 7.4.3 DegreeofASPeering ............................. .. 98 7.5 Discussion...................................... .... 99 8 Web
Load more

Recommended publications
  • Characterizing Certain Dns Ddos Attacks
    CHARACTERIZING CERTAIN DNS DDOSATTACKS APREPRINT Renée Burton Cyber Intelligence Infoblox [email protected] July 23, 2019 ABSTRACT This paper details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, we discovered that current attacks have little resemblance to published descriptions and identify several previously unpublished features of the attacks. Through a combination of text and time series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small. 1 Introduction In the field of Cyber Security, there is a rich history of characterizing malicious actors, their mechanisms and victims, through the analysis of recovered malware1 and related event data. Reverse engineers and threat analysts take advantage of the fact that malware developers often unwittingly leave fingerprints in their code through the choice of libraries, variables, infection mechanisms, and other observables. In some cases, the Cyber Security Industry is able to correlate seemingly disparate pieces of information together and attribute malware to specific malicious actors. Identifying a specific technique or actor involved in an attack, allows the Industry to better understand the magnitude of the threat and protect against it.
    [Show full text]
  • Click Trajectories: End-To-End Analysis of the Spam Value Chain
    Click Trajectories: End-to-End Analysis of the Spam Value Chain ∗ ∗ ∗ ∗ z y Kirill Levchenko Andreas Pitsillidis Neha Chachra Brandon Enright Mark´ Felegyh´ azi´ Chris Grier ∗ ∗ † ∗ ∗ Tristan Halvorson Chris Kanich Christian Kreibich He Liu Damon McCoy † † ∗ ∗ Nicholas Weaver Vern Paxson Geoffrey M. Voelker Stefan Savage ∗ y Department of Computer Science and Engineering Computer Science Division University of California, San Diego University of California, Berkeley z International Computer Science Institute Laboratory of Cryptography and System Security (CrySyS) Berkeley, CA Budapest University of Technology and Economics Abstract—Spam-based advertising is a business. While it it is these very relationships that capture the structural has engendered both widespread antipathy and a multi-billion dependencies—and hence the potential weaknesses—within dollar anti-spam industry, it continues to exist because it fuels a the spam ecosystem’s business processes. Indeed, each profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam distinct path through this chain—registrar, name server, interventions focus on only one facet of the overall spam value hosting, affiliate program, payment processing, fulfillment— chain (e.g., spam filtering, URL blacklisting, site takedown). directly reflects an “entrepreneurial activity” by which the In this paper we present a holistic analysis that quantifies perpetrators muster capital investments and business rela- the full set of resources employed to monetize spam email— tionships to create value. Today we lack insight into even including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, the most basic characteristics of this activity. How many broad crawling of naming and hosting infrastructures, and organizations are complicit in the spam ecosystem? Which over 100 purchases from spam-advertised sites.
    [Show full text]
  • Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2
    Passive Monitoring of DNS Anomalies Bojan Zdrnja1, Nevil Brownlee1, and Duane Wessels2 1 University of Auckland, New Zealand, b.zdrnja,nevil @auckland.ac.nz { } 2 The Measurement Factory, Inc., [email protected] Abstract. We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect un- usual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam. 1 Introduction The Domain Name System (DNS) service is critical for the normal functioning of almost all Internet services. Although the Internet Protocol (IP) does not need DNS for operation, users need to distinguish machines by their names so the DNS protocol is needed to resolve names to IP addresses (and vice versa). The main requirements on the DNS are scalability and availability. The DNS name space is divided into multiple zones, which are a “variable depth tree” [1]. This way, a particular DNS server is authoritative only for its (own) zone, and each organization is given a specific zone in the DNS hierarchy. A complete domain name for a node is called a Fully Qualified Domain Name (FQDN). An FQDN defines a complete path for a domain name starting on the leaf (the host name) all the way to the root of the tree. Each node in the tree has its label that defines the zone.
    [Show full text]
  • Sidekick Suspicious Domain Classification in the .Nl Zone
    Master Thesis as part of the major in Security & Privacy at the EIT Digital Master School SIDekICk SuspIcious DomaIn Classification in the .nl Zone delivered by Moritz C. M¨uller [email protected] at the University of Twente 2015-07-31 Supervisors: Andreas Peter (University of Twente) Maarten Wullink (SIDN) Abstract The Domain Name System (DNS) plays a central role in the Internet. It allows the translation of human-readable domain names to (alpha-) numeric IP addresses in a fast and reliable manner. However, domain names not only allow Internet users to access benign services on the Internet but are used by hackers and other criminals as well, for example to host phishing campaigns, to distribute malware, and to coordinate botnets. Registry operators, which are managing top-level domains (TLD) like .com, .net or .nl, disapprove theses kinds of usage of their domain names because they could harm the reputation of their zone and would consequen- tially lead to loss of income and an insecure Internet as a whole. Up to today, only little research has been conducted with the intention to fight malicious domains from the view of a TLD registry. This master thesis focuses on the detection of malicious domain names for the .nl country code TLD. Therefore, we analyse the characteristics of known malicious .nl domains which have been used for phishing and by botnets. We confirm findings from previous research in .com and .net and evaluate novel characteristics including query patterns for domains in quar- antine and recursive resolver relations. Based on this analysis, we have developed a prototype of a detection system called SIDekICk.
    [Show full text]
  • Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness
    ISSN 1330-3651 (Print), ISSN 1848-6339 (Online) https://doi.org/10.17559/TV-20161012115204 Original scientific paper Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness Davor CAFUTA, Vlado SRUK, Ivica DODIG Abstract: Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS. Keywords: Botnet; fast-flux; IDS 1 INTRODUCTION locations DoS attack against the web site becomes very difficult as it must be effective on every server in the field The Domain Name System (DNS) is a hierarchical [7, 8].
    [Show full text]
  • Taxonomy and Adversarial Strategies of Random Subdomain Attacks
    Taxonomy and Adversarial Strategies of Random Subdomain Attacks Harm Griffioen and Christian Doerr Delft University of Technology, Cybersecurity Group Van Mourik Broekmanweg 6, Delft, The Netherlands fh.j.griffioen, [email protected] Abstract—Ever since the introduction of the domain name new type of attack gained some visibility when source code system (DNS), attacks on the DNS ecosystem have been a steady triggering it was discovered in a forensic analysis of the Mirai companion. Over time, targets and techniques have shifted, Internet-of-Things malware in 2016 [?], since then a number and in the recent past a new type of attack on the DNS has of actors have picked up this particular technique. emerged. In this paper we report on the DNS random subdomain attack, querying floods of non-existent subdomains, intended to Until now, very little is known how these attacks are cause a denial-of-service on DNS servers. Based on five major executed and exactly using which means. This paper intends to attacks in 2018 obtained through backscatter measurements in address this gap. Based on backscatter measurements through a a large network telescope, we show the techniques pursued by large network telescope, we observed the emergence of random adversaries, and develop a taxonomy of strategies of this attack. subdomain attacks over a period of three years and will in this paper make the following two contributions: Keywords—cyber threat intelligence, random subdomain attack, DNS, DDoS • We show the spectrum of different types of random subdomain attacks in use in the wild today based on I. INTRODUCTION five exemplary case studies, and use this to develop a taxonomy of random subdomain attacks.
    [Show full text]
  • From WHOIS to WHOWAS: a Large-Scale Measurement Study of Domain Registration Privacy Under the GDPR
    From WHOIS to WHOWAS: A Large-Scale Measurement Study of Domain Registration Privacy under the GDPR Chaoyi Lu∗†, Baojun Liu∗†¶B, Yiming Zhang∗†, Zhou Li§, Fenglu Zhang∗, Haixin Duan∗¶B, Ying Liu∗, Joann Qiongna Chen§, Jinjin LiangY, Zaifeng ZhangY, Shuang Hao∗∗ and Min Yang†† ∗Tsinghua University, †Beijing National Research Center for Information Science and Technology, flcy17, zhangyim17, zfl[email protected], flbj, [email protected], [email protected] §University of California, Irvine, fzhou.li, [email protected], ¶Qi An Xin Group, Y360 Netlab, fliangjinjin, [email protected], ∗∗University of Texas at Dallas, [email protected], ††Fudan University, m [email protected] Abstract—When a domain is registered, information about the [39], online advertising [55], [96], [103], [102] and usability registrants and other related personnel is recorded by WHOIS of privacy notices [104], [78], [79], [90], [50], [49], [27], [72]. databases owned by registrars or registries (called WHOIS providers jointly), which are open to public inquiries. However, Due to its broad scope, not only does the GDPR protect due to the enforcement of the European Union’s General Data normal users browsing websites, users setting up websites and Protection Regulation (GDPR), certain WHOIS data (i.e., the the associated infrastructure are also protected. One example records about EEA, or the European Economic Area, registrants) is domain registration. After a user registers a domain name, needs to be redacted before being released to the public. Anec- e.g., example.com, its sponsoring registrar and upper-stream dotally, it was reported that actions have been taken by some registry will store his/her personal information like name and WHOIS providers.
    [Show full text]
  • Detection of Fast-Flux Networks Using Various DNS Feature Sets
    Detection of Fast-Flux Networks Using Various DNS Feature Sets Z. Berkay Celik and Serna Oktug Department of Computer Engineering Istanbul Technical University Maslak, Istanbul, Turkey 34469 { zbcelik,oktug}@itu.edu.tr Abstract-In this work, we study the detection of Fast-Flux imperfect, e.g., they may suffer from high detection latency Service Networks (FFSNs) using DNS (Domain Name System) (i.e., extracting features as a timescale greater than Time response packets. We have observed that current approaches do To Live (TTL), or multiple DNS lookups) or false positives not employ a large combination of DNS features to feed into detected by utilizing imperfect and insufficient features. the proposed detection systems. The lack of features may lead to high false positive or false negative rates triggered by benign The work presented here is related to the detection of activities including Content Distribution Networks (CDNs). In FFSNs, in particular, by jointly building timing, domain name, this paper, we study recently proposed detection frameworks to spatial, network and DNS answer features which are extracted construct a high-dimensional feature vector containing timing, network, spatial, domain name, and DNS response information. from the first DNS response packet. We consider many rather In the detection system, we strive to use features that are delay­ than a few features and also their combinations which are free, and lightweight in terms of storage and computational constructed by surveying the recent literature. The main aim of cost. Feature sub-spaces are evaluated using a C4.5 decision tree this survey is to study and analyze the benefits of the features classifier by excluding redundant features using the information and also, in some cases, the necessity of applying joint feature gain of each feature with respect to each class.
    [Show full text]
  • Country Code Top-Level Domain (Cctld) Project for State of Kuwait
    Country Code Top-Level Domain (ccTLD) Project for State of Kuwait Communication and Information Technology Regulatory Authority (CITRA) assigns, organizes, manages and codes the top domain names for the State of Kuwait (.kw) for access to the Internet in accordance with best practices and standards in this field, ensuring the efficiency, fairness and transparency for the beneficiaries. This includes the regulation and implementation of all regulations, policies and procedures in relation to the operation of the country code's top-level domain. What is a domain name? A domain name is the address and identity of any website. It is a means of accessing websites directly without having to search them in the search engines. The domain name is a system of converting IP addresses and numbers used to locate computers on the Internet. Domain names provide a system of easy-to-use Internet addresses that can be translated through the DNS - Domain Name System (a system that stores information related to Internet domain names in a decentralized database on the Internet) on the network. What is a ccTLD? Country code top-level domains or the highest country encoding range: used by an independent country or territory. It consists of two letters, such as .eg for Egypt or. sa for Saudi Arabia or .kw for the State of Kuwait. The registration of a domain name (.kw) became easy and smooth process after the establishment and launch of the electronic registration system for the management and operation of domains through the Communication and Information Technology Regulatory Authority and the accredited registrars authorized by the Communication and Information Technology Regulatory Authority and responsible for providing integrated registration services for those wishing to register (.Kw).
    [Show full text]
  • DNS) Administration Guide
    Edgecast Route (DNS) Administration Guide Disclaimer Care was taken in the creation of this guide. However, Edgecast cannot accept any responsibility for errors or omissions. There are no warranties, expressed or implied, including the warranty of merchantability or fitness for a particular purpose, accompanying this product. Trademark Information EDGECAST is a registered trademark of Verizon Digital Media Services Inc. About This Guide Route (DNS) Administration Guide Version 2.40 8/28/2021 ©2021 Verizon Media. All rights reserved. Table of Contents Route ............................................................................................................................................................. 1 Introduction .............................................................................................................................................. 1 Scope ......................................................................................................................................................... 1 Module Comparison ................................................................................................................................. 2 Managed (Primary) or Secondary DNS Module .................................................................................... 2 DNS Health Checks Module .................................................................................................................. 3 Billing Activation ......................................................................................................................................
    [Show full text]
  • How to Add Domains and DNS Records
    Barracuda NextGen Firewall X How to Add Domains and DNS Records https://campus.barracuda.com/doc/41109753/ Configure the Barracuda NextGen X-Series Firewall to be the authoritative DNS server for your domains or subdomains to take advantage of Split DNS or dead link detection. Step 1. Make the X-Series Firewall the authoritative DNS server at your domain registrar To become the authoritative DNS server for a domain contact the registrar for your domain to use the static or dynamic WAN IP addresses of your X-Series Firewall. Hosting a subdomain If you want to delegate a subdomain to the X-Series Firewall, add ns1 and ns2 records to the zone file of the domain where it is stored at the registrar. If the domain is yourdomain.com, and you want to host subdomain.yourdomain.com add the following DNS records: subdomain IN NS ns1 subdomain IN NS ns2 ns1 IN A <WAN IP 1 OF YOUR BARRACUDA FIREWALL> ns2 IN A <WAN IP 2 OF YOUR BARRACUDA FIREWALL> Step 2. Enable authoritative DNS on the X-Series Firewall In the DNS Servers table, you can view a list of the static IP addresses for which the DNS Server service is enabled (NETWORK > IP Configuration). Dynamic IP addresses are not listed. An access rule is created in step 3 to redirect incoming DNS requests on dynamic interfaces to the DNS service on the firewall. The access rule LOCALDNSCACHE must be active after enabling authoritative DNS for local clients to access the DNS server. 1. Go to the NETWORK > Authoritative DNS page.
    [Show full text]
  • PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration
    PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration Shuang Hao∗ Alex Kantcheliany Brad Millerx Vern Paxson† Nick Feamsterz ∗ y University of California, Santa Barbara University of California, Berkeley x z Google, Inc. International Computer Science Institute Princeton University [email protected] {akant,vern}@cs.berkeley.edu [email protected] [email protected] ABSTRACT content [18, 53]. To mitigate these threats, operators routinely build Miscreants register thousands of new domains every day to launch reputation systems for domain names to indicate whether they are Internet-scale attacks, such as spam, phishing, and drive-by down- associated with malicious activity. A common mode for developing loads. Quickly and accurately determining a domain’s reputation reputation for DNS domain names is to develop a blacklist that curates (association with malicious activity) provides a powerful tool for mit- “bad domains”. A network operator who wishes to defend against an igating threats and protecting users. Yet, existing domain reputation attack may use a domain blacklist to help determine whether certain systems work by observing domain use (e.g., lookup patterns, content traffic or infrastructure is associated with malicious activity. hosted)—often too late to prevent miscreants from reaping benefits of Unfortunately, curating a DNS blacklist is difficult because of the attacks that they launch. the high rate of domain registrations and the variety of attacks. For As a complement to these systems, we explore the extent to which example, every day around 80,000 new domains are registered in features evident at domain registration indicate a domain’s subsequent the .com zone, with a peak rate of over 1,800 registrations in a sin- use for malicious activity.
    [Show full text]