Understanding the Domain Registration Behavior of Spammers

Understanding the Domain Registration Behavior of Spammers ... Auto-Renew Grace (45 days) Redemption Grace (30 days) Pending...

1 downloads 524 Views 1MB Size
Understanding the Domain Registration Behavior of Spammers

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck

Overview

Domain Abuse •  Domain names represent valuable Internet resources •  Domain abuse –  Spam contains URLs leading to scam sites Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx

scam site

•  Top-level domain name: com •  Second-level domain name: bad-domain.com •  Host name: www.bad-domain.com

2  

Overview

Spammers Exploit Domains •  More agile and reliable for attacks –  Domain space is very big –  Domain cost is small –  Not easy to detect

3  

Overview

Motivation: Early Detection Pre-attack

Post-attack Spam content filtering

Domain registration

Attack (Spamming)

IP blacklisting URL crawling DNS traffic analysis etc.

–  Most research focuses on activities after spam is sent Problem: Window left for spam dissemination and monetization –  Ultimate goal: Detect spammer domains at time-ofregistration rather than later at time-of-use 4  

Outline

Talk Outline •  Motivation •  Registration Process and Data Collection •  DNS Infrastructure Used for Spammer Domains •  Detecting Registration Spikes •  Domain Life-cycle Role Analysis •  Summary

5  

Background

Domain Registration Process

Update

Database

Registry (e.g., Verisign) manages registration database

Registrar (e.g., GoDaddy) brokers registrations Top-level nameservers

Registrant

6  

Background

Life Cycle Chart

Renew

Available

Active (1-10 years)

Auto-Renew Grace

Redemption Grace

Pending Delete

(45 days)

(30 days)

(5 days)

Available

Re-registration

7  

Background

Data Collection Pre-attack

Domain registration

1

Post-attack

Attack (Spamming)

2 What domains newly registered in .com zone

Whether the domains were used in spamming activities after registration 8  

Background

Data Statistics 1•  Verisign .com domain registrations over 5 months –  12,824,401 new .com domains during March – July, 2012 –  Epoch: Zone file updates every 5 minutes –  Registration information •  Registrars •  Nameservers •  Registration history 2•  Spammer domains –  134,455 new .com domains were blacklisted later –  Spam trap, URIBL, and SURBL during March – October, 2012 (8 months) 9  

Outline

Talk Outline •  Motivation •  Registration Process and Data Collection •  DNS Infrastructure Used for Spammer Domains –  Registrars and Authoritative Nameservers

•  Detecting Registration Spikes •  Domain Life-cycle Role Analysis •  Conclusion

10  

Infrastructure

Registrars Hosting Spammer Domains •  Question: What registrars do spammers choose to register domains? The registrars ranked by the percentages of spammer domains Registrar

Spam %

1 eNom, Inc.

27.03%

2 Moniker Online Services, Inc.

19.01%

3 Tucows.com Co.

4.47%

8 OnlineNIC, Inc.

2.13%

9 Center of Ukrainian Internet Names

2.07%

10 Register.com, Inc.

Spammer All domains added domains to the zone

70%

20%

1.89%

•  Confirmation*: A handful of registrars account for the majority of spammer domains *Levchenko,  K.  et  al.  Click  Trajectories:  End-­‐to-­‐End  Analysis  of  the  Spam  Value  Chain.      11        In  Proceedings  of  the  IEEE  Symposium  and  Security  and  Privacy,  2011  

Infrastructure

Spam Proportions on Registrars •  Question: Do registrars only host spammer domains? Non−spammer domain counts (log scale)

10^7 GoDaddy.com, LLC PDR Ltd. d/b/a 10^6 PublicDomainRegistry.com

Tucows.com Co. eNom, Inc. Register.com, Inc. Moniker Online Services, Inc.

10^5

INTERNET.bs Corp. Bizcn.com, Inc. OnlineNIC, Inc. Trunkoz Technologies Pvt Ltd. d/b/a OwnRegistrar.com Center of Ukrainian Internet Names

10^4 1000 100

•  Finding: Spammer primarily use popular registrars

10 ABSystems Inc

0

0

10

100

1000

10^4

10^5

10^6

Spammer domain counts (log scale)

10^7

12  

Infrastructure

Authoritative Nameservers •  Question: Do spammers use particular nameservers?

Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc

•  Finding: Spammers often use the nameservers provided by the registrars 13  

Outline

Talk Outline •  Motivation •  Registration Process and Data Collection •  DNS Infrastructure Used for Spammer Domains •  Detecting Registration Spikes •  Domain Life-cycle Role Analysis •  Summary

14  

Spike Pattern

An Example of Bulk Registration •  Question: Do spammers register domains in groups?

New domains every 5 minutes

New spammer domains every 5 minutes

•  Domains registered by eNom every 5 minutes in March 5th, 2012

15  

Spike Pattern

Distribution of Spammer Domain Registration •  Distribution of the number of spammer domains registered within the same registrar and epoch

Only 20% of the spammer domains got registered in isolation

•  Finding: Spammers perform registrations in batches

16  

Spike Pattern

Modeling Registration Batch Size •  Question: How to identify “abnormally large” registration batches? •  Build hourly model to fit diurnal patterns •  Compound Poisson to represent the customer Spike: low probability purchase behaviors

eNom, Inc., hourly window, 10AM–11AM ET 17  

Spike Pattern

Registrations in Spikes

Spammer domains in spikes

42%

All domains in spikes

15%

•  Finding: Spammer domains appear in spikes with a much higher likelihood

18  

Outline

Talk Outline •  Motivation •  Registration Process and Data Collection •  DNS Infrastructure Used for Spammer Domains •  Detecting Registration Spikes •  Domain Life-cycle Role Analysis •  Conclusion

19  

Life Cycle

Life Cycle Categories Renew

Available

Active (1-10 years)

Auto-Renew Grace

Redemption Grace

Pending Delete

(45 days)

(30 days)

(5 days)

Available

Re-registration

•  Brand-new –  The domain has never appeared in the zone before

•  Re-registration –  The domain has previously appeared in the zone •  Drop-catch: re-registered immediately after its release

•  Retread: some time elapses between a domain’s prior deletion and its re-registration

20  

Life Cycle

Prevalence of Different Categories •  Question: What type of domains is more likely being used in spam? Conditional probability of being a spammer domain Re-registration

In spikes

Brand-new

Drop-catch

Retread

1.01%

0.33%

1.34%

2.61%

0.37%

4.48%

•  Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations 21  

Life Cycle

Malicious Activities before Retread •  Question: Do spammers re-register previous spammer domains? •  Introspect with spam trap and blacklists before the reregistration time (October 2011 – February 2012) –  Only 6.8% had appeared in a blacklist before re-registration

•  Finding: Spammers re-register expired domains with clean histories

22  

Life Cycle

Dormancy before Retread •  Question: How long is between deletion and re-registration?

65% of retread spammer domains were deleted less than 90 days before

•  Finding: Spammers have a trend to re-register domains that expired more recently

23  

Summary

Takeaways •  Positive actions from specific registrars could have significant impact in impeding spammer domain registrations •  Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches •  In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history

24  

Summary

Summary •  We studied the fine-grained domain registration of .com zone over a 5-month period •  Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones •  Next steps –  Develop a detector against spammer domains at registration time –  Investigate further the reasons of spammer registration strategies http://www.cc.gatech.edu/~shao

25