Monitoring the initial DNS behavior of malicious domains

Shuang Hao, Nick Feamster, Ramakant Pandrangi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

60 Scopus citations

Abstract

Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.

Original languageEnglish (US)
Title of host publicationIMC'11 - Proceedings of the 2011 ACM SIGCOMM Internet Measurement Conference
Pages269-278
Number of pages10
DOIs
StatePublished - 2011
Event2011 ACM SIGCOMM Internet Measurement Conference, IMC'11 - Berlin, Germany
Duration: Nov 2 2011Nov 4 2011

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other2011 ACM SIGCOMM Internet Measurement Conference, IMC'11
Country/TerritoryGermany
CityBerlin
Period11/2/1111/4/11

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Keywords

  • DNS
  • domain registration
  • malicious domain
  • spam

Fingerprint

Dive into the research topics of 'Monitoring the initial DNS behavior of malicious domains'. Together they form a unique fingerprint.

Cite this