TY - GEN
T1 - Monitoring the initial DNS behavior of malicious domains
AU - Hao, Shuang
AU - Feamster, Nick
AU - Pandrangi, Ramakant
PY - 2011
Y1 - 2011
N2 - Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.
AB - Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.
KW - DNS
KW - domain registration
KW - malicious domain
KW - spam
UR - http://www.scopus.com/inward/record.url?scp=82955186887&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=82955186887&partnerID=8YFLogxK
U2 - 10.1145/2068816.2068842
DO - 10.1145/2068816.2068842
M3 - Conference contribution
AN - SCOPUS:82955186887
SN - 9781450310130
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 269
EP - 278
BT - IMC'11 - Proceedings of the 2011 ACM SIGCOMM Internet Measurement Conference
T2 - 2011 ACM SIGCOMM Internet Measurement Conference, IMC'11
Y2 - 2 November 2011 through 4 November 2011
ER -