understanding the domain registration behavior of...
TRANSCRIPT
![Page 1: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/1.jpg)
Understanding the Domain Registration Behavior of Spammers
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck
![Page 2: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/2.jpg)
2
• Domain names represent valuable Internet resources
• Domain abuse – Spam contains URLs leading to scam sites
• Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com
Overview
Domain Abuse
Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site
![Page 3: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/3.jpg)
3
• More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect
Overview
Spammers Exploit Domains
![Page 4: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/4.jpg)
4
Overview
Motivation: Early Detection
Attack (Spamming)
Post-attack
Domain registration
– Most research focuses on activities after spam is sent
– Ultimate goal: Detect spammer domains at time-of-registration rather than later at time-of-use
Spam content filtering
IP blacklisting URL crawling DNS traffic analysis etc.
Problem: Window left for spam dissemination and monetization
Pre-attack
![Page 5: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/5.jpg)
5
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
![Page 6: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/6.jpg)
6
Background
Domain Registration Process
Database
Top-level nameservers
Update Registry (e.g., Verisign) manages registration database
Registrar (e.g., GoDaddy) brokers registrations
Registrant
![Page 7: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/7.jpg)
7
Background
Life Cycle Chart
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
![Page 8: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/8.jpg)
8
Background
Data Collection
What domains newly registered in .com zone
Whether the domains were used in spamming activities after registration
1
Attack (Spamming)
Post-attack Pre-attack
Domain registration
2
![Page 9: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/9.jpg)
9
• Verisign .com domain registrations over 5 months – 12,824,401 new .com domains during March – July,
2012 – Epoch: Zone file updates every 5 minutes – Registration information
• Registrars • Nameservers • Registration history
• Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March –
October, 2012 (8 months)
Background
Data Statistics
1
2
![Page 10: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/10.jpg)
10
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
![Page 11: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/11.jpg)
11
Infrastructure
Registrars Hosting Spammer Domains
Registrar Spam %
1 eNom, Inc. 27.03%
2 Moniker Online Services, Inc. 19.01%
3 Tucows.com Co. 4.47%
8 OnlineNIC, Inc. 2.13%
9 Center of Ukrainian Internet Names 2.07%
10 Register.com, Inc. 1.89%
• Confirmation*: A handful of registrars account for the majority of spammer domains
• Question: What registrars do spammers choose to register domains?
The registrars ranked by the percentages of spammer domains
Spammer domains
All domains added to the zone
70% 20%
*Levchenko, K. et al. Click Trajectories: End-‐to-‐End Analysis of the Spam Value Chain. In Proceedings of the IEEE Symposium and Security and Privacy, 2011
![Page 12: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/12.jpg)
12 0 10 100 1000 10^4 10^5 10^6 10^7 0
10
100
1000
10^4
10^5
10^6
10^7
Non−s
pam
mer
dom
ain
coun
ts (l
og s
cale
)
Spammer domain counts (log scale)
Moniker OnlineServices, Inc.
GoDaddy.com, LLC
ABSystems Inc
INTERNET.bs Corp.
Tucows.com Co.
Bizcn.com, Inc.
Trunkoz TechnologiesPvt Ltd. d/b/aOwnRegistrar.com
OnlineNIC, Inc.
eNom, Inc.
Center ofUkrainianInternet Names
PDRLtd. d/b/aPublicDomainRegistry.com
Register.com, Inc.
Infrastructure
Spam Proportions on Registrars
• Question: Do registrars only host spammer domains?
• Finding: Spammer primarily use popular registrars
![Page 13: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/13.jpg)
13
Infrastructure
Authoritative Nameservers
• Question: Do spammers use particular nameservers?
• Finding: Spammers often use the nameservers provided by the registrars
Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net
But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc
![Page 14: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/14.jpg)
14
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
![Page 15: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/15.jpg)
15
Spike Pattern
An Example of Bulk Registration
• Domains registered by eNom every 5 minutes in March 5th, 2012
New domains every 5 minutes
New spammer domains every 5 minutes
• Question: Do spammers register domains in groups?
![Page 16: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/16.jpg)
16
Spike Pattern
Distribution of Spammer Domain Registration
• Distribution of the number of spammer domains registered within the same registrar and epoch
Only 20% of the spammer domains got registered in isolation
• Finding: Spammers perform registrations in batches
![Page 17: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/17.jpg)
17
• Question: How to identify “abnormally large” registration batches?
Spike Pattern
Modeling Registration Batch Size
• Build hourly model to fit diurnal patterns
• Compound Poisson to represent the customer purchase behaviors
eNom, Inc., hourly window, 10AM–11AM ET
Spike: low probability
![Page 18: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/18.jpg)
18
Spike Pattern
Registrations in Spikes
• Finding: Spammer domains appear in spikes with a much higher likelihood
Spammer domains in spikes
All domains in spikes
42% 15%
![Page 19: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/19.jpg)
19
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
![Page 20: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/20.jpg)
20
Life Cycle
Life Cycle Categories
• Brand-new – The domain has never appeared in the zone before
• Re-registration – The domain has previously appeared in the zone
• Drop-catch: re-registered immediately after its release • Retread: some time elapses between a domain’s prior
deletion and its re-registration
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
![Page 21: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/21.jpg)
21
Life Cycle
Prevalence of Different Categories
Conditional probability of being a spammer domain
• Question: What type of domains is more likely being used in spam?
In spikes
Drop-catch Retread
1.01% 0.33% 1.34%
Brand-new
2.61% 0.37% 4.48%
• Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations
Re-registration
![Page 22: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/22.jpg)
22
Life Cycle
Malicious Activities before Retread
• Question: Do spammers re-register previous spammer domains?
• Introspect with spam trap and blacklists before the re-registration time (October 2011 – February 2012) – Only 6.8% had appeared in a blacklist before re-registration
• Finding: Spammers re-register expired domains with clean histories
![Page 23: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/23.jpg)
23
Life Cycle
Dormancy before Retread
65% of retread spammer domains were deleted less than 90 days before
• Question: How long is between deletion and re-registration?
• Finding: Spammers have a trend to re-register domains that expired more recently
![Page 24: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/24.jpg)
24
• Positive actions from specific registrars could have significant impact in impeding spammer domain registrations
• Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches
• In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history
Summary
Takeaways
![Page 25: Understanding the Domain Registration Behavior of Spammersshao/papers/registration-imc13-slides.… · Understanding the Domain Registration Behavior of Spammers Shuang Hao, Matthew](https://reader033.vdocuments.net/reader033/viewer/2022060300/5f081f577e708231d4207349/html5/thumbnails/25.jpg)
25
• We studied the fine-grained domain registration of .com zone over a 5-month period
• Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones
• Next steps – Develop a detector against spammer domains at
registration time – Investigate further the reasons of spammer registration
strategies
Summary
Summary
http://www.cc.gatech.edu/~shao