Understanding the Domain Registration Behavior of Spammers
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck Overview Domain Abuse
• Domain names represent valuable Internet resources
• Domain abuse – Spam contains URLs leading to scam sites
Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site
• Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com
2 Overview Spammers Exploit Domains
• More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect
3 Overview Motivation: Early Detection
Pre-attack Post-attack Spam content filtering
IP blacklisting URL crawling Domain Attack DNS traffic analysis etc. registration (Spamming)
– Most research focuses on activities after spam is sent Problem: Window left for spam dissemination and monetization
– Ultimate goal: Detect spammer domains at time-of- registration rather than later at time-of-use
4 Outline Talk Outline
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
5 Background Domain Registration Process
Database Update Registry (e.g., Verisign) manages registration database
Registrar (e.g., GoDaddy) brokers registrations Top-level nameservers
Registrant
6 Background Life Cycle Chart
Renew
Auto-Renew Redemption Pending Active Available Grace Grace Delete Available (1-10 years) (45 days) (30 days) (5 days)
Re-registration
7 Background Data Collection
Pre-attack Post-attack
Domain Attack registration (Spamming)
1 2 What domains Whether the domains newly registered were used in spamming in .com zone activities after registration
8 Background Data Statistics
1• Verisign .com domain registrations over 5 months – 12,824,401 new .com domains during March – July, 2012 – Epoch: Zone file updates every 5 minutes – Registration information • Registrars • Nameservers • Registration history 2• Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March – October, 2012 (8 months) 9 Outline Talk Outline • Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
10 Infrastructure Registrars Hosting Spammer Domains
• Question: What registrars do spammers choose to register domains? The registrars ranked by the percentages of spammer domains Registrar Spam % 1 eNom, Inc. 27.03% 2 Moniker Online Services, Inc. 19.01% 3 Tucows.com Co. 4.47% Spammer All domains added domains to the zone 8 OnlineNIC, Inc. 2.13% 70% 20% 9 Center of Ukrainian Internet Names 2.07% 10 Register.com, Inc. 1.89%
• Confirmation*: A handful of registrars account for the majority of spammer domains
*Levchenko, K. et al. Click Trajectories: End-to-End Analysis of the Spam Value Chain. 11 In Proceedings of the IEEE Symposium and Security and Privacy, 2011 Infrastructure Spam Proportions on Registrars
• Question: Do registrars only host spammer domains?
10^7 Tucows.com Co. GoDaddy.com, LLC PDR eNom, Inc. Ltd. d/b/a 10^6 PublicDomainRegistry.com Register.com, Inc. Moniker Online 10^5 Services, Inc. • Finding: INTERNET.bs Corp. 10^4 Bizcn.com, Inc. Spammer OnlineNIC, Inc. Trunkoz Technologies primarily use 1000 Pvt Ltd. d/b/a OwnRegistrar.com popular Center of registrars 100 Ukrainian Internet Names spammer domain counts (log scale)
− 10 ABSystems Inc Non 0 0 10 100 1000 10^4 10^5 10^6 10^7 12 Spammer domain counts (log scale) Infrastructure Authoritative Nameservers
• Question: Do spammers use particular nameservers?
Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc
• Finding: Spammers often use the nameservers provided by the registrars
13 Outline Talk Outline
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
14 Spike Pattern An Example of Bulk Registration
• Question: Do spammers register domains in groups?
New spammer New domains domains every every 5 5 minutes minutes
• Domains registered by eNom every 5 minutes in March 5th, 2012 15 Spike Pattern Distribution of Spammer Domain Registration
• Distribution of the number of spammer domains registered within the same registrar and epoch
Only 20% of the spammer domains got registered in isolation
• Finding: Spammers perform registrations in batches 16 Spike Pattern Modeling Registration Batch Size
• Question: How to identify “abnormally large” registration batches?
• Build hourly model to fit diurnal patterns
• Compound Poisson to represent the customer Spike: low probability purchase behaviors
eNom, Inc., hourly window, 10AM–11AM ET
17 Spike Pattern Registrations in Spikes
Spammer domains All domains in spikes in spikes 42% 15%
• Finding: Spammer domains appear in spikes with a much higher likelihood
18 Outline Talk Outline
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
19 Life Cycle Life Cycle Categories
Renew
Auto-Renew Redemption Pending Active Available Grace Grace Delete Available (1-10 years) (45 days) (30 days) (5 days)
Re-registration
• Brand-new – The domain has never appeared in the zone before • Re-registration – The domain has previously appeared in the zone • Drop-catch: re-registered immediately after its release • Retread: some time elapses between a domain’s prior deletion and its re-registration 20
Life Cycle Prevalence of Different Categories
• Question: What type of domains is more likely being used in spam?
Conditional probability of being a spammer domain Re-registration
Brand-new Drop-catch Retread
1.01% 0.33% 1.34% In spikes 2.61% 0.37% 4.48%
• Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations
21 Life Cycle Malicious Activities before Retread
• Question: Do spammers re-register previous spammer domains?
• Introspect with spam trap and blacklists before the re- registration time (October 2011 – February 2012) – Only 6.8% had appeared in a blacklist before re-registration
• Finding: Spammers re-register expired domains with clean histories
22 Life Cycle Dormancy before Retread
• Question: How long is between deletion and re-registration?
65% of retread spammer domains were deleted less than 90 days before
• Finding: Spammers have a trend to re-register domains that expired more recently 23 Summary Takeaways
• Positive actions from specific registrars could have significant impact in impeding spammer domain registrations
• Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches
• In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history
24 Summary Summary
• We studied the fine-grained domain registration of .com zone over a 5-month period
• Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones
• Next steps – Develop a detector against spammer domains at registration time – Investigate further the reasons of spammer registration strategies
http://www.cc.gatech.edu/~shao 25