Spring, JM;
Metcalf, L;
Ruef, D;
(2017)
Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking.
In:
Proceedings of the Learning from Authoritative Security Experiment Results (LASER) 2017 workshop.
USENIX
Preview |
Text
Metcalf-et_2017_opensource-measurement-of-fast-flux-and-parking.pdf - Published Version Download (487kB) | Preview |
Abstract
BACKGROUND: Fast-flux is a technique malicious actors use for resilient malware communications. In this paper, domain parking is the practice of assigning a nonsense location to an unused fully-qualified domain name (FQDN) to keep it ready for “live” use. Many papers use “parking” to mean typosquatting for ad revenue. However, we use the original meaning, which was relevant because it is a potentially confounding behavior for detection of fast-flux. Internet-wide fast-flux networks and the extent to which domain parking confounds fast-flux detection have not been publicly measured at scale. AIM: Demonstrate a repeatable method for opensource measurement of fast-flux and domain parking, and measure representative trends over 5 years. Method: Our data source is a large passive-DNS collection. We use an open-source implementation that identifies suspicious associations between FQDNs, IP addresses, and ASNs as graphs. We detect parking via a simple time-series of whether a FQDN advertises itself on IETF-reserved private IP space and public IP space alternately. Whitelisting domains that use private IP space for encoding non-DNS responses (e.g. blacklist distributors) is necessary. RESULTS: Fast-flux is common; usual daily values are 10M IP addresses and 20M FQDNs. Domain parking, in our sense, is uncommon (94,000 unique FQDNs total) and does not interfere with fastflux detection. Our open-source tool works well at internet-scale. DISCUSSION: Real-time detection of fast-flux networks could help defenders better interrupt them. With our implementation, a resolver could potentially block name resolutions that would add to a known flux network if completed, preventing even the first connection. Parking is a poor indicator of malicious activity.
| Type: | Proceedings paper |
|---|---|
| Title: | Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking |
| Event: | Learning from Authoritative Security Experiment Results (LASER 2017), 18–19 October 2017, Arlington, VA, USA. |
| Location: | Washington, DC, USA |
| Open access status: | An open access version is available from UCL Discovery |
| Publisher version: | https://www.usenix.org/conference/laser2017/presen... |
| Language: | English |
| Additional information: | This is the published version of record. For information on re-use, please refer to the publisher’s terms and conditions. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery-pp.ucl.ac.uk/id/eprint/10060329 |
Archive Staff Only
 |
View Item |
