An analysis of wide-area name server traffic: a study of the Internet Domain Name System
SIGCOMM '92 Conference proceedings on Communications architectures & protocols
DNS performance and the effectiveness of caching
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Spectroscopy of DNS update traffic
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A day at the root of the internet
ACM SIGCOMM Computer Communication Review
Dynamics of Online Scam Hosting Infrastructure
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Spamcraft: an inside look at spam campaign orchestration
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
On the potential of proactive domain blacklisting
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
A centralized monitoring infrastructure for improving DNS security
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Detecting malware domains at the upper DNS hierarchy
SEC'11 Proceedings of the 20th USENIX conference on Security
Proactive discovery of phishing related domain names
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
An empirical reexamination of global DNS behavior
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Understanding the domain registration behavior of spammers
Proceedings of the 2013 conference on Internet measurement conference
Towards passive DNS software fingerprinting
Proceedings of the 9th Asian Internet Engineering Conference
Towards classification of DNS erroneous queries
Proceedings of the 9th Asian Internet Engineering Conference
| Hi-index | 0.00 |
Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.