Presentation is loading. Please wait.

Presentation is loading. Please wait.

Junk Domains: It’s What’s For Dinner

Published byGeorgina Griffin Modified over 6 years ago

Similar presentations

Presentation on theme: "Junk Domains: It’s What’s For Dinner"— Presentation transcript:

1

2 Junk Domains: It’s What’s For Dinner
Dr. Paul Vixie, CEO Farsight Security

3 Junk Domains: It’s What’s For Dinner
Agenda Domain Name Churn Anatomy of a Junk Domain Reducing Junk Domain Risk Conclusion

4 Domain Name Churn

5 "IP packets, IP addresses and BGP routes, underlay everything
"IP packets, IP addresses and BGP routes, underlay everything. The most important overlay layer is DNS" DNS IP Packets BGP Routes IP Addresses Web etc., etc.

6 The Domain Name Evolution

7 Domain Names Are Also Important to Criminals
Cybercriminals aren't interested in long-lived domain names. For criminals, domains are free (or cheap) & short-lived assets "Honest" bad guys? ~$1/name is just a "cost of doing business," too inconsequential to mention Other bad guys use stolen cards to get domains. Use those names until the card is reported; lather/rinse/repeat. Many intentionally free domain/free subdomain/free domain name redirection services out there...

8 Free... And Liable to Being Abused As A Result
Domains: .cf, .ga, .gq, .ml, .tk Subdomains: .eu.nu, .web.gg, us.nf, int.nf, tv.gg, co.gp, online.gp, asia.gp, biz.uz, pro.vg, name.vu, info.nu, edu.ms, mobi.ps, .co.nr, or tens of thousands of other domain names offering subdomains to those interested (see ) URL Redirector Services: One list of hundreds of URL shorteners and redirectors These free domains/services aren't meant to be abused and their operators try to police them, but criminals are relentless.

9 Why Criminals Need New Domain Names
Domain intelligence services are very efficient, listing misused or abused domains very quickly (often within just minutes) Domains – once listed – are worthless or become liabilities: Any content using a listed domain is "dead on arrival“ due to domain-based block lists (SURBL, Spamhaus DBL, etc.) Domain names may even act as a connection back to the cyber criminal (WHOIS POC info, credit card info, etc.) Blocklists make life very unpleasant for cybercriminals

10

11

12 No One Needs to Immediately Use a New Domain (Except Cybercriminals)
Cybercriminals get new domains, abuse and then abandon them – within minutes While the good guys are still figuring what they're seeing, the bad guys are making a "lightning strike:" in, out, gone. The trick is to "help" these cybercriminals slow down a little. What's the rush? No honest person, no legitimate domain, is in that big of a hurry...

13 Anatomy of a Junk Domain

14

15

16 Peeling Back The Junk Domain Onion

17 Sample Hostnames On IP

18 Sample Hostnames On IP

19 That’s A LOT of Domains Using passive DNS (to see what other domains are seen on the same IP) allows us to find other apparently-related domains. Before action is taken against ANY domain, it should be visited and documented as actually offering problematic products. (To avoid malware, visit from a disposable VM). Beware of collateral damage – don’t assume that a site with a domain name that appears to be infringing actually is – CONFIRM IT. Some may not be what they seem; others may already be down. Many, however, may be exactly what you expect.

20 Reducing Junk Domain Risk

21 Temporarily Defer The Resolution of ALL Newly Observed Domains
Temporarily deferring resolution of ALL new observed domains is a simple strategy, but surprisingly effective.... By ignoring new domains for a specific period of time, you'll frustrate cybercriminals’ "no-huddle offense." With this approach, domain reputation companies have more time to review new domains and block those found to be bad.

22 What Is A "Newly Observed Domain?"
Domains are "new" if they haven't been seen in use on network -- - it isn't a function of when a domain was just registered. Newly detected domain information is exceedingly time sensitive: need to publish in real-time (or near real-time) to block resolution. This implies a need for a low latency real-time (stream) computing approach rather than asynchronous (batch) computing paradigm.

23 Risk Mitigating Actions: Implementation
Response Policy Zones (RPZ) Firewall ACL Domain white-listing for sensitive networks Require outbound proxy with filtering lists

24 Risk Mitigating Actions: Data Sources
Data Sources: (Sources for what you might want to block) -NOD -Open source intelligence: Look at list of resources at under Domain Names -Geolocation (e.g. maxmind.com) Maybe you don't want to exchange ANY traffic with Belarus -Site reputation scoring is also available from a variety of vendors such as Senderbase, My Web of Trust, etc.

25 Final Words About Combating Junk Domains
Block TLDs coarsely but keep in mind that it is not as easy it appears: Dot com domains are by far and away the #1 most-abused domains Block more finely (reputation services or tools like NOD or NOH)

26 Conclusion Domain Name System (DNS) is foundation for our online world
Junk domain name industry is thriving – driven by cheap prices, skyrocketing cybercrime and other online fraud A cyber investigation beginning with a domain name and IP address can take you down a long, convoluted path With the appropriate risk mitigation tools and methods, you can reduce junk domain name risk to your organization

27

Download ppt "Junk Domains: It’s What’s For Dinner"

Similar presentations

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.

Surfing the net: Ways to protect yourself. Internet Safety Look into safeguarding programs or options your online service provider might offer. Look into.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.

ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”

How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
Safe Internet Use Mark Wheatley CSI Onsite 952-928-1788

Safe Internet Use Mark Wheatley CSI Onsite
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.

Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
Security at NCAR David Mitchell February 20th, 2007.

Security at NCAR David Mitchell February 20th, 2007.

Similar presentations

Ads by Google