Understanding the Domain Registration Behavior of...
Transcript of Understanding the Domain Registration Behavior of...
Understanding the Domain Registration Behavior of Spammers
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck
2
• Domain names represent valuable Internet resources
• Domain abuse – Spam contains URLs leading to scam sites
• Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com
Overview
Domain Abuse
Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site
3
• More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect
Overview
Spammers Exploit Domains
4
Overview
Motivation: Early Detection
Attack (Spamming)
Post-attack
Domain registration
– Most research focuses on activities after spam is sent
– Ultimate goal: Detect spammer domains at time-of-registration rather than later at time-of-use
Spam content filtering
IP blacklisting URL crawling DNS traffic analysis etc.
Problem: Window left for spam dissemination and monetization
Pre-attack
5
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
6
Background
Domain Registration Process
Database
Top-level nameservers
Update Registry (e.g., Verisign) manages registration database
Registrar (e.g., GoDaddy) brokers registrations
Registrant
7
Background
Life Cycle Chart
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
8
Background
Data Collection
What domains newly registered in .com zone
Whether the domains were used in spamming activities after registration
1
Attack (Spamming)
Post-attack Pre-attack
Domain registration
2
9
• Verisign .com domain registrations over 5 months – 12,824,401 new .com domains during March – July,
2012 – Epoch: Zone file updates every 5 minutes – Registration information
• Registrars • Nameservers • Registration history
• Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March –
October, 2012 (8 months)
Background
Data Statistics
1
2
10
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
11
Infrastructure
Registrars Hosting Spammer Domains
Registrar Spam %
1 eNom, Inc. 27.03%
2 Moniker Online Services, Inc. 19.01%
3 Tucows.com Co. 4.47%
8 OnlineNIC, Inc. 2.13%
9 Center of Ukrainian Internet Names 2.07%
10 Register.com, Inc. 1.89%
• Confirmation*: A handful of registrars account for the majority of spammer domains
• Question: What registrars do spammers choose to register domains?
The registrars ranked by the percentages of spammer domains
Spammer domains
All domains added to the zone
70% 20%
*Levchenko, K. et al. Click Trajectories: End-‐to-‐End Analysis of the Spam Value Chain. In Proceedings of the IEEE Symposium and Security and Privacy, 2011
12 0 10 100 1000 10^4 10^5 10^6 10^7 0
10
100
1000
10^4
10^5
10^6
10^7
Non−s
pam
mer
dom
ain
coun
ts (l
og s
cale
)
Spammer domain counts (log scale)
Moniker OnlineServices, Inc.
GoDaddy.com, LLC
ABSystems Inc
INTERNET.bs Corp.
Tucows.com Co.
Bizcn.com, Inc.
Trunkoz TechnologiesPvt Ltd. d/b/aOwnRegistrar.com
OnlineNIC, Inc.
eNom, Inc.
Center ofUkrainianInternet Names
PDRLtd. d/b/aPublicDomainRegistry.com
Register.com, Inc.
Infrastructure
Spam Proportions on Registrars
• Question: Do registrars only host spammer domains?
• Finding: Spammer primarily use popular registrars
13
Infrastructure
Authoritative Nameservers
• Question: Do spammers use particular nameservers?
• Finding: Spammers often use the nameservers provided by the registrars
Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net
But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc
14
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
15
Spike Pattern
An Example of Bulk Registration
• Domains registered by eNom every 5 minutes in March 5th, 2012
New domains every 5 minutes
New spammer domains every 5 minutes
• Question: Do spammers register domains in groups?
16
Spike Pattern
Distribution of Spammer Domain Registration
• Distribution of the number of spammer domains registered within the same registrar and epoch
Only 20% of the spammer domains got registered in isolation
• Finding: Spammers perform registrations in batches
17
• Question: How to identify “abnormally large” registration batches?
Spike Pattern
Modeling Registration Batch Size
• Build hourly model to fit diurnal patterns
• Compound Poisson to represent the customer purchase behaviors
eNom, Inc., hourly window, 10AM–11AM ET
Spike: low probability
18
Spike Pattern
Registrations in Spikes
• Finding: Spammer domains appear in spikes with a much higher likelihood
Spammer domains in spikes
All domains in spikes
42% 15%
19
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
20
Life Cycle
Life Cycle Categories
• Brand-new – The domain has never appeared in the zone before
• Re-registration – The domain has previously appeared in the zone
• Drop-catch: re-registered immediately after its release • Retread: some time elapses between a domain’s prior
deletion and its re-registration
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
21
Life Cycle
Prevalence of Different Categories
Conditional probability of being a spammer domain
• Question: What type of domains is more likely being used in spam?
In spikes
Drop-catch Retread
1.01% 0.33% 1.34%
Brand-new
2.61% 0.37% 4.48%
• Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations
Re-registration
22
Life Cycle
Malicious Activities before Retread
• Question: Do spammers re-register previous spammer domains?
• Introspect with spam trap and blacklists before the re-registration time (October 2011 – February 2012) – Only 6.8% had appeared in a blacklist before re-registration
• Finding: Spammers re-register expired domains with clean histories
23
Life Cycle
Dormancy before Retread
65% of retread spammer domains were deleted less than 90 days before
• Question: How long is between deletion and re-registration?
• Finding: Spammers have a trend to re-register domains that expired more recently
24
• Positive actions from specific registrars could have significant impact in impeding spammer domain registrations
• Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches
• In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history
Summary
Takeaways
25
• We studied the fine-grained domain registration of .com zone over a 5-month period
• Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones
• Next steps – Develop a detector against spammer domains at
registration time – Investigate further the reasons of spammer registration
strategies
Summary
Summary
http://www.cc.gatech.edu/~shao