Junk Domains: It’s What’s For Dinner

Slides:



Advertisements
Similar presentations
Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
Advertisements

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Norman SecureSurf Protect your users when surfing the Internet.
ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.
APA of Isfahan University of Technology In the name of God.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
Safe Internet Use Mark Wheatley CSI Onsite
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
Security at NCAR David Mitchell February 20th, 2007.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.
McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.
Role Of Network IDS in Network Perimeter Defense.
Belmont Financial Group's Jonathan Young Speaks on the Future of Fraud 1888 PressRelease - Jonathan Young of Belmont Financial Group speaks on the future.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
1 Outline of this module By the end of this module, you will be able to: – Understand what is meant by “identity crime”; – Name the different types of.
Outline of this module By the end of this module, you will be able to: Identify the benefits of using social networking to communicate with family and.
Cryptography and Network Security
1 Outline of this module By the end of this module you will be able to: Understand why computer security is important; Name the different threats to.
 One of the best capabilities enabled by the web is that once you’re mistreatment it, you’re not certain by geographical location. This is often particularly.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
INTERNET SAFETY FOR EVERYONE
AP CSP: Identifying People with Data and The Cost of Free
All the fun one can have with DNS
Learn how to protect yourself against common attacks
Report Phishing Forward phishing s to
GCE Applied ICT G053: Lesson 09 Domain Names
Web Hosting What you need to know!.
Introduction to Networking
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Online Safety.
Unit 4 IT Security.
Who should be responsible for risks to basic Internet infrastructure?
Cybersecurity Awareness
Information is at the heart of any University, and Harvard is no exception. We create it, analyze it, share it, and apply it. As you would imagine, we.
Mary Kummer Jim McNall PRIMA Spring Training 2018
Reporting personal data breaches to the ICO
Internet Safety for Everyone
Privacy Through Anonymous Connection and Browsing
Proactive Network Protection Through DNS
Firewalls Routers, Switches, Hubs VPNs
Report Phishing Forward phishing s to
OPS235: Configuring a Network Using Virtual Machines – Part 2
Internet Safety for Everyone
Firewalls Jiang Long Spring 2002.
COS 561: Advanced Computer Networks
Firewalls Chapter 8.
Internet Safety for Everyone
Internet Safety for Everyone
Internet Safety for Everyone
Internet Safety for Everyone
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Company Name | Phone Number | Website | Address
Office 365 Performance Management
Cybersecurity Simplified: Phishing
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Junk Domains: It’s What’s For Dinner Dr. Paul Vixie, CEO Farsight Security

Junk Domains: It’s What’s For Dinner Agenda Domain Name Churn Anatomy of a Junk Domain Reducing Junk Domain Risk Conclusion

Domain Name Churn

"IP packets, IP addresses and BGP routes, underlay everything "IP packets, IP addresses and BGP routes, underlay everything. The most important overlay layer is DNS" DNS IP Packets BGP Routes IP Addresses Web etc., etc. Email

The Domain Name Evolution

Domain Names Are Also Important to Criminals Cybercriminals aren't interested in long-lived domain names. For criminals, domains are free (or cheap) & short-lived assets "Honest" bad guys? ~$1/name is just a "cost of doing business," too inconsequential to mention Other bad guys use stolen cards to get domains. Use those names until the card is reported; lather/rinse/repeat. Many intentionally free domain/free subdomain/free domain name redirection services out there...

Free... And Liable to Being Abused As A Result Domains: .cf, .ga, .gq, .ml, .tk Subdomains: .eu.nu, .web.gg, us.nf, int.nf, tv.gg, co.gp, online.gp, asia.gp, biz.uz, pro.vg, name.vu, info.nu, edu.ms, mobi.ps, .co.nr, or tens of thousands of other domain names offering subdomains to those interested (see http://freedns.afraid.org/domain/registry/ ) URL Redirector Services: One list of hundreds of URL shorteners and redirectors http://longurl.org/services These free domains/services aren't meant to be abused and their operators try to police them, but criminals are relentless.

Why Criminals Need New Domain Names Domain intelligence services are very efficient, listing misused or abused domains very quickly (often within just minutes) Domains – once listed – are worthless or become liabilities: Any content using a listed domain is "dead on arrival“ due to domain-based block lists (SURBL, Spamhaus DBL, etc.) Domain names may even act as a connection back to the cyber criminal (WHOIS POC info, credit card info, etc.) Blocklists make life very unpleasant for cybercriminals

No One Needs to Immediately Use a New Domain (Except Cybercriminals) Cybercriminals get new domains, abuse and then abandon them – within minutes While the good guys are still figuring what they're seeing, the bad guys are making a "lightning strike:" in, out, gone. The trick is to "help" these cybercriminals slow down a little. What's the rush? No honest person, no legitimate domain, is in that big of a hurry...

Anatomy of a Junk Domain

Peeling Back The Junk Domain Onion

Sample Hostnames On IP 158.69.56.6 www.ab86st.eu. www.abouthlt.info. www.absinsecnds.date. www.aeew77.eu. www.aforpac.eu. www.afruck.eu. www.afstrfit.net. www.alzhmirgone.org. www.am32eated.eu. www.amzincure.download. www.anarkspider.com. www.angelica-luthi.com. www.aquadeal.faith. www.aquvafinna.date. www.arsted.eu. www.askmorteasy.download. www.asleepzsafly.eu. www.audge3nus.eu. www.autbestloan.faith www.autget.org. www.autodebt.faith. www.autofinance.date. www.autorepa.date. www.autowealthonline.com. www.awarhlths.net. www.ayti564ne.eu. www.baterycours.date. www.bathcare.download. www.bathremode.date. www.beactivecare.date. www.beal54iter.eu. www.bealthingdo.org. www.bec34tiar.eu. www.becarederm.info. www.becmfite.org. www.becmpefc.org. www.behealthhy.faith. www.beifitfast.org. www.bestbreakfast.download. www.bestcredonsup.date www.bestdealcare.date. www.bestdison.download. www.bestnailartidea.com. www.bestonger.info. www.bestontreat.faith. www.bestoptcars.date. www.bestprisec.org. www.bestprogane.faith. www.besturcar.date. www.beusealws.info. www.biocared.date. www.bioticadsfs.top. www.bioticaofr.xyz. www.bioticare.download. www.bioticare.top. www.bioticure.bid www.birthreat.download.

Sample Hostnames On IP 158.69.56.6 www.bissopo.eu. www.bizclass.bid. www.blaqwes.eu. www.blckcounter.eu. www.blombiz.download. www.bloodsecrt.date. www.bosstmemry.org. www.brainback.date. www.brainexact.faith. www.braingrwth.faith. www.breakspeed.date www.breatus.eu www.bulast.eu. www.bullefly.eu. www.buyfastewr.info. www.buygeneratr.org. www.cableoption.download. www.cableserve.bid www.cableserve.faith. www.cahealtevr.info. www.campromo.download. www.camurvan.faith. www.canalforfit.info. www.candoalls.win. www.canfurnisall.faith. www.canperfcts.net. www.carcam.xyz. www.careatmost.org. www.careetohurrt.org. www.carefolive.org. www.carmodelsfinder.com. www.carusers.faith. www.cellgrowth.org. www.cerrtosugr.info. www.certnutrin.xyz www.certosuggr.org. www.chekksnow.win. www.chojurhom.info. www.ciloss.org. www.cleansherp.date. www.cleanskin.date. www.clearilistn.info. www.clearinsl.download. www.clearligt.faith. www.clearliloo.info. www.clenfood.faith. www.clennvizn.org. www.clerteeth.download. www.clikkscerr.download. www.clipurway.date. www.cloudanker.com. www.cnbathfrnk.info. www.coldiet.info. www.colitis.download. www.complxonmker.download. www.compoption.date www.constirelief.faith. www.contentmp3.com www.correctorbeans.xyz. www.craftall.org. www.crazyinvent.date. www.creatanmak.net. www.createmst.net. www.creditlon.faith.

That’s A LOT of Domains Using passive DNS (to see what other domains are seen on the same IP) allows us to find other apparently-related domains. Before action is taken against ANY domain, it should be visited and documented as actually offering problematic products. (To avoid malware, visit from a disposable VM). Beware of collateral damage – don’t assume that a site with a domain name that appears to be infringing actually is – CONFIRM IT. Some may not be what they seem; others may already be down. Many, however, may be exactly what you expect.

Reducing Junk Domain Risk

Temporarily Defer The Resolution of ALL Newly Observed Domains Temporarily deferring resolution of ALL new observed domains is a simple strategy, but surprisingly effective.... By ignoring new domains for a specific period of time, you'll frustrate cybercriminals’ "no-huddle offense." With this approach, domain reputation companies have more time to review new domains and block those found to be bad.

What Is A "Newly Observed Domain?" Domains are "new" if they haven't been seen in use on network -- - it isn't a function of when a domain was just registered. Newly detected domain information is exceedingly time sensitive: need to publish in real-time (or near real-time) to block resolution. This implies a need for a low latency real-time (stream) computing approach rather than asynchronous (batch) computing paradigm.

Risk Mitigating Actions: Implementation Response Policy Zones (RPZ) Firewall ACL Domain white-listing for sensitive networks Require outbound proxy with filtering lists

Risk Mitigating Actions: Data Sources Data Sources: (Sources for what you might want to block) -NOD -Open source intelligence: Look at list of resources at https://inteltechniques.com/links.html under Domain Names -Geolocation (e.g. maxmind.com) Maybe you don't want to exchange ANY traffic with Belarus -Site reputation scoring is also available from a variety of vendors such as Senderbase, My Web of Trust, etc.

Final Words About Combating Junk Domains Block TLDs coarsely but keep in mind that it is not as easy it appears: Dot com domains are by far and away the #1 most-abused domains Block more finely (reputation services or tools like NOD or NOH)

Conclusion Domain Name System (DNS) is foundation for our online world Junk domain name industry is thriving – driven by cheap prices, skyrocketing cybercrime and other online fraud A cyber investigation beginning with a domain name and IP address can take you down a long, convoluted path With the appropriate risk mitigation tools and methods, you can reduce junk domain name risk to your organization