Post on 17-Jun-2020
Understanding the Domain Registration Behavior of Spammers
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck
2
• Domain names represent valuable Internet resources
• Domain abuse – Spam contains URLs leading to scam sites
• Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com
Overview
Domain Abuse
Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site
3
• More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect
Overview
Spammers Exploit Domains
4
Overview
Motivation: Early Detection
Attack (Spamming)
Post-attack
Domain registration
– Most research focuses on activities after spam is sent
– Ultimate goal: Detect spammer domains at time-of-registration rather than later at time-of-use
Spam content filtering
IP blacklisting URL crawling DNS traffic analysis etc.
Problem: Window left for spam dissemination and monetization
Pre-attack
5
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
6
Background
Domain Registration Process
Database
Top-level nameservers
Update Registry (e.g., Verisign) manages registration database
Registrar (e.g., GoDaddy) brokers registrations
Registrant
7
Background
Life Cycle Chart
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
8
Background
Data Collection
What domains newly registered in .com zone
Whether the domains were used in spamming activities after registration
1
Attack (Spamming)
Post-attack Pre-attack
Domain registration
2
9
• Verisign .com domain registrations over 5 months – 12,824,401 new .com domains during March – July,
2012 – Epoch: Zone file updates every 5 minutes – Registration information
• Registrars • Nameservers • Registration history
• Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March –
October, 2012 (8 months)
Background
Data Statistics
1
2
10
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
11
Infrastructure
Registrars Hosting Spammer Domains
Registrar Spam %
1 eNom, Inc. 27.03%
2 Moniker Online Services, Inc. 19.01%
3 Tucows.com Co. 4.47%
8 OnlineNIC, Inc. 2.13%
9 Center of Ukrainian Internet Names 2.07%
10 Register.com, Inc. 1.89%
• Confirmation*: A handful of registrars account for the majority of spammer domains
• Question: What registrars do spammers choose to register domains?
The registrars ranked by the percentages of spammer domains
Spammer domains
All domains added to the zone
70% 20%
*Levchenko, K. et al. Click Trajectories: End-‐to-‐End Analysis of the Spam Value Chain. In Proceedings of the IEEE Symposium and Security and Privacy, 2011
12 0 10 100 1000 10^4 10^5 10^6 10^7 0
10
100
1000
10^4
10^5
10^6
10^7
Non−s
pam
mer
dom
ain
coun
ts (l
og s
cale
)
Spammer domain counts (log scale)
Moniker OnlineServices, Inc.
GoDaddy.com, LLC
ABSystems Inc
INTERNET.bs Corp.
Tucows.com Co.
Bizcn.com, Inc.
Trunkoz TechnologiesPvt Ltd. d/b/aOwnRegistrar.com
OnlineNIC, Inc.
eNom, Inc.
Center ofUkrainianInternet Names
PDRLtd. d/b/aPublicDomainRegistry.com
Register.com, Inc.
Infrastructure
Spam Proportions on Registrars
• Question: Do registrars only host spammer domains?
• Finding: Spammer primarily use popular registrars
13
Infrastructure
Authoritative Nameservers
• Question: Do spammers use particular nameservers?
• Finding: Spammers often use the nameservers provided by the registrars
Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net
But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc
14
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary
Outline
Talk Outline
15
Spike Pattern
An Example of Bulk Registration
• Domains registered by eNom every 5 minutes in March 5th, 2012
New domains every 5 minutes
New spammer domains every 5 minutes
• Question: Do spammers register domains in groups?
16
Spike Pattern
Distribution of Spammer Domain Registration
• Distribution of the number of spammer domains registered within the same registrar and epoch
Only 20% of the spammer domains got registered in isolation
• Finding: Spammers perform registrations in batches
17
• Question: How to identify “abnormally large” registration batches?
Spike Pattern
Modeling Registration Batch Size
• Build hourly model to fit diurnal patterns
• Compound Poisson to represent the customer purchase behaviors
eNom, Inc., hourly window, 10AM–11AM ET
Spike: low probability
18
Spike Pattern
Registrations in Spikes
• Finding: Spammer domains appear in spikes with a much higher likelihood
Spammer domains in spikes
All domains in spikes
42% 15%
19
• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion
Outline
Talk Outline
20
Life Cycle
Life Cycle Categories
• Brand-new – The domain has never appeared in the zone before
• Re-registration – The domain has previously appeared in the zone
• Drop-catch: re-registered immediately after its release • Retread: some time elapses between a domain’s prior
deletion and its re-registration
Active (1-10 years)
Auto-Renew Grace
(45 days)
Redemption Grace
(30 days)
Pending Delete (5 days)
Available Available
Re-registration
Renew
21
Life Cycle
Prevalence of Different Categories
Conditional probability of being a spammer domain
• Question: What type of domains is more likely being used in spam?
In spikes
Drop-catch Retread
1.01% 0.33% 1.34%
Brand-new
2.61% 0.37% 4.48%
• Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations
Re-registration
22
Life Cycle
Malicious Activities before Retread
• Question: Do spammers re-register previous spammer domains?
• Introspect with spam trap and blacklists before the re-registration time (October 2011 – February 2012) – Only 6.8% had appeared in a blacklist before re-registration
• Finding: Spammers re-register expired domains with clean histories
23
Life Cycle
Dormancy before Retread
65% of retread spammer domains were deleted less than 90 days before
• Question: How long is between deletion and re-registration?
• Finding: Spammers have a trend to re-register domains that expired more recently
24
• Positive actions from specific registrars could have significant impact in impeding spammer domain registrations
• Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches
• In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history
Summary
Takeaways
25
• We studied the fine-grained domain registration of .com zone over a 5-month period
• Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones
• Next steps – Develop a detector against spammer domains at
registration time – Investigate further the reasons of spammer registration
strategies
Summary
Summary
http://www.cc.gatech.edu/~shao