1 / 17

Cracking the Wall of Confinement: Understanding and Analysing Malicious Domain Take-downs

Cracking the Wall of Confinement: Understanding and Analysing Malicious Domain Take-downs. Asil Stanikzai 30 September 2019. Introduction. Motivation and Scope of Research Project: - Period an abusive domain remain active before take-down.

rsharp
Download Presentation

Cracking the Wall of Confinement: Understanding and Analysing Malicious Domain Take-downs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cracking the Wall of Confinement: Understanding and Analysing Malicious Domain Take-downs Asil Stanikzai 30 September 2019

  2. Introduction

  3. Motivation and Scope of Research Project: - Period an abusive domain remain active before take-down. - Understanding the period of domain take-down before release. - How soon seized domains become available for purchase after release. - Evaluating the security loophole of take-down process Problem Statement: - Domain take-down is complicated and opaque process - Little information about take-down domains, parties, and controlling operators. Data collected based on: - various sinkhole feeds - 8 domain blacklists - Passive DNS data spanning for 6 years - Historical WHOIS information

  4. Background Domain Take-down: the seizure process of domain names by law enforcement which are involved in illicit activities, such as malware distribution, pharmaceutical, and counterfeit goods trading or any violation to Acceptable Use Policies (AUPs) defined by ICANN.

  5. Take-down Steps, Parties, and Elements Parties and Processes: -Take-down Requestor: reports the domain violation (complain to registrar, court order). -Take-down Authority: third-party services specialised in domain take-down. -Take-down Executor: take-down operation operators Elements: -Sinkholing: redirecting the seized domain traffic to specific server -Delisting: refusing to resolve the domain name translation.

  6. Sinkhole Delisting Extensible Provisioning Protocol (EPP) manages WHOIS database registration status codes • Sinkholing: • Showing warning banners for victims visiting the domain • Mimic the operation of C&C for research purpose

  7. Finding\ Solution

  8. Identifying Sinkholed and delisted Domains • Used PDNS data to identify sinkholed domains. - Provided by Farsight (TLD zone and DNS sensors) • Used WHOIS historical data to identify delisted domains. - Provided by 360 Netlab - Used developed algorithm to check EPP codes

  9. Method for Finding Take-down Domain - 1 Million malicious domains were analysed to identify seized domains and duration. - 625K domains were identified as take-down domain after analysing PDNS and WHOIS Records

  10. Analysing Take-Down Operation • A Sinkholed and blacklisted 35,045 domain. • B Sinkholed and delisted 4,429 domains. • C Blacklisted and delisted 17,135 domains. • D Sinkholed, blacklisted and delisted 193 domains.

  11. Pre-emptive and Non-Pre-emptive Take-down Operator: FBI, Microsoft, ShadowServer, CWGSH, and SeeScoredCard TLD: Name, cm, me, org, ws, biz, and net

  12. Active Duration Active duration is the time from first appearance of the domain in the PDNS until the time it was found to be sinkholed.

  13. Sinkhole Duration Operator: CertPI, CWGSH, FBI, Microsoft TLD: biz, info, org, ws

  14. Take-down Loopholes • Dangling DNS Records: A security risk which allows adversary to hijack the sinkholed domain. • Expired Sinkhole: Domains are reused by adversaries after expiry date. • 350K (56.46%) of all take-down domains in the past six years are released. • 7148 (14.14%) of take-down domains in the past ten months are released.

  15. Critique • Confusing data between pre-emptive and active duration (FBI 2000 domains) • Lack of technical method for identifying sinkhole operators -Manually internet search and reading court orders may possibly result to miss some important operators. • Sinkholed domains are reused after expiry date. • No clear mechanism for selecting 8 blacklisting -Expanding public blacklisting could increase the number of blacklisted domains.

  16. Conclusion • Domain take-down can be done by sinkholing or delisting. • 625K take downed domains were analysed. • FBI, Microsoft, ShadowServer, CWGSH, and SeeScoredCard react quickly in take-down. • CertPI, CWGSH, FBI, Microsoft confines malicious domains for longer. • 56.46% of domains are released with 14.14% of them in less than ten months

  17. Q&A

More Related