research-article

Monitoring the initial DNS behavior of malicious domains

Authors:

Ramakant PandrangiAuthors Info & Claims

IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Pages 269 - 278

https://doi.org/10.1145/2068816.2068842

Published: 02 November 2011 Publication History

Abstract

Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.

References

[1]

M. Antonakakis, D. Dagon, X. Luo, R. Perdisci, W. Lee, and J. Bellmor. A Centralized Monitoring Infrastructure for Improving DNS Security. In Proc. 13th International Symposium on Recent Advances in Intrusion Detection (RAID), Ottawa, Ontario, Canada, Sept. 2010.

Digital Library

[2]

M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In Proc. 19th USENIX Security Symposium, Washington, DC, Aug. 2010.

Digital Library

[3]

M. Antonakakis, R. Perdisci, W. Lee, N. V. II, and D. Dagon. Detecting Malware Domains at the Upper DNS Hierarchy. In Proc. 20th USENIX Security Symposium, San Francisco, CA, Aug. 2011.

Digital Library

[4]

L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Proc. 18th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2011.

[5]

A. Broido, E. Nemeth, and K. Claffy. Spectroscopy of DNS Update Traffic. ACM SIGMETRICS Performance Evaluation Review, 31(1):321, June 2003.

Digital Library

[6]

N. Brownlee, K. Claffy, and E. Nemeth. DNS Measurements at a Root Server. In Proc. IEEE Conference on Global Communications (GlobeCom), San Antonio, TX, Nov. 2001.

[7]

S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A Day at the Root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41--46, Oct. 2008.

Digital Library

[8]

P. Danzig, K. Obraczka, and A. Kumar. An Analysis of Wide-Area Name Server Traffic: A Study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review, 22(4):292, Oct. 1992.

Digital Library

[9]

M. Felegyhazi, C. Kreibich, and V. Paxson. On the Potential of Proactive Domain Blacklisting. In Proc. 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, CA, Apr. 2010.

Digital Library

[10]

T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and Detecting Fast-Flux Service Networks. In Proc. 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2008.

[11]

J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS Performance and the Effectiveness of Caching. In Proc. ACM SIGCOMM Internet Measurement Workshop, San Fransisco, CA, Nov. 2001.

Digital Library

[12]

M. Konte, N. Feamster, and J. Jung. Dynamics of Online Scam Hosting Infrastructure. In Proc. Passive and Active Measurement (PAM), Seoul, South Korea, Apr. 2009.

Digital Library

[13]

C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamcraft: An Inside Look At Spam Campaign Orchestration. In Proc. 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, MA, Apr. 2009.

Digital Library

[14]

PlanetLab. http://www.planet-lab.org/.

[15]

Spamhaus. http://www.spamhaus.org/.

[16]

Domain Name Industry Brief. http://www.verisigninc.com/DNIB, 2011.

[17]

J. M. Spring, L. B. Metcalf, and E. Stoner. Correlating Domain Registrations and DNS First Activity in General and for Malware. In Proc. Securing and Trusting Internet Names (SATIN), Teddington, United Kingdom, Apr. 2011.

[18]

J. Zupan. Clustering of Large Data Sets. John Wiley and Sons, Ltd., 1982.

Cited By

Kawaoka RChiba DWatanabe TAkiyama MMori T(2024)Longitudinal Measurement Study of the Domain Names Associated With the Olympic GamesIEEE Access10.1109/ACCESS.2024.336010812(19128-19144)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3360108
Tian YLi Z(2024)Dom-BERT: Detecting Malicious Domains with Pre-training ModelPassive and Active Measurement10.1007/978-3-031-56249-5_6(133-158)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56249-5_6
THEIN TSHIRAISHI YMORII M(2023)Malicious Domain Detection Based on Decision TreeIEICE Transactions on Information and Systems10.1587/transinf.2022OFL0002E106.D:9(1490-1494)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022OFL0002
Show More Cited By

Index Terms

Monitoring the initial DNS behavior of malicious domains

Recommendations

Understanding the domain registration behavior of spammers
IMC '13: Proceedings of the 2013 conference on Internet measurement conference

Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the ...
MalHunter: Performing a Timely Detection on Malicious Domains via a Single DNS Query
Information and Communications Security
Abstract
Domain names have been abused for illicit online activities for decades. A wealth of effort has been devoted to detect malicious domains in the past. However, these works primarily identify suspicious DNS behaviors (e.g., lookup patterns, ...
Characterizing Dark DNS Behavior
DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

November 2011

612 pages

ISBN:9781450310130

DOI:10.1145/2068816

Program Chairs:
Patrick Thiran
EPFL, Switzerland
,
Walter Willinger
AT&T Labs-Research, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '11

Sponsor:

IMC '11: Internet Measurement Conference

November 2 - 4, 2011

Berlin, Germany

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

64
Total Citations
View Citations
698
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)5

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kawaoka RChiba DWatanabe TAkiyama MMori T(2024)Longitudinal Measurement Study of the Domain Names Associated With the Olympic GamesIEEE Access10.1109/ACCESS.2024.336010812(19128-19144)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3360108
Tian YLi Z(2024)Dom-BERT: Detecting Malicious Domains with Pre-training ModelPassive and Active Measurement10.1007/978-3-031-56249-5_6(133-158)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56249-5_6
THEIN TSHIRAISHI YMORII M(2023)Malicious Domain Detection Based on Decision TreeIEICE Transactions on Information and Systems10.1587/transinf.2022OFL0002E106.D:9(1490-1494)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022OFL0002
Lyu MHabibi Gharakheili HRussell CSivaraman V(2023)Enterprise DNS Asset Mapping and Cyber-Health Tracking via Passive Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.322198120:3(3699-3716)Online publication date: Sep-2023
https://doi.org/10.1109/TNSM.2022.3221981
Faulkenberry AAvgetidis AMa ZAlrawi OLever CKintis PMonrose FKeromytis AAntonakakis M(2022)View from Above: Exploring the Malware Ecosystem from the Upper DNS HierarchyProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564646(240-250)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564646
Ahmed JGharakheili HRussell CSivaraman V(2022)Automatic Detection of DGA-Enabled Malware Using SDN and Traffic Behavioral ModelingIEEE Transactions on Network Science and Engineering10.1109/TNSE.2022.31735919:4(2922-2939)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TNSE.2022.3173591
Ahmed JGharakheili HSivaraman V(2022)Learning-Based Detection of Malicious Hosts by Analyzing Non-Existent DNS ResponsesGLOBECOM 2022 - 2022 IEEE Global Communications Conference10.1109/GLOBECOM48099.2022.10001429(3411-3416)Online publication date: 4-Dec-2022
https://doi.org/10.1109/GLOBECOM48099.2022.10001429
Yang DLi ZJiang HTyson GLi HXie GZeng Y(2022)A deep dive into DNS behavior and query failuresComputer Networks10.1016/j.comnet.2022.109131(109131)Online publication date: Jun-2022
https://doi.org/10.1016/j.comnet.2022.109131
Desmet LSpooren JVissers TJanssen PJoosen W(2021)PremadomaDigital Threats: Research and Practice10.1145/34194762:1(1-24)Online publication date: 22-Jan-2021
https://dl.acm.org/doi/10.1145/3419476
Jawad IAhmed JRazzak IDoss R(2021)Identifying DNS Exfiltration based on Lexical Attributes of Query Name2021 International Joint Conference on Neural Networks (IJCNN)10.1109/IJCNN52387.2021.9534276(1-7)Online publication date: 18-Jul-2021
https://doi.org/10.1109/IJCNN52387.2021.9534276
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents