Understanding the Domain Registration Behavior of Spammers
Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck
Overview
Domain Abuse • Domain names represent valuable Internet resources • Domain abuse – Spam contains URLs leading to scam sites Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx
scam site
• Top-level domain name: com • Second-level domain name: bad-domain.com • Host name: www.bad-domain.com
2
Overview
Spammers Exploit Domains • More agile and reliable for attacks – Domain space is very big – Domain cost is small – Not easy to detect
3
Overview
Motivation: Early Detection Pre-attack
Post-attack Spam content filtering
Domain registration
Attack (Spamming)
IP blacklisting URL crawling DNS traffic analysis etc.
– Most research focuses on activities after spam is sent Problem: Window left for spam dissemination and monetization – Ultimate goal: Detect spammer domains at time-ofregistration rather than later at time-of-use 4
Outline
Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary
5
Background
Domain Registration Process
Update
Database
Registry (e.g., Verisign) manages registration database
Registrar (e.g., GoDaddy) brokers registrations Top-level nameservers
Registrant
6
Background
Life Cycle Chart
Renew
Available
Active (1-10 years)
Auto-Renew Grace
Redemption Grace
Pending Delete
(45 days)
(30 days)
(5 days)
Available
Re-registration
7
Background
Data Collection Pre-attack
Domain registration
1
Post-attack
Attack (Spamming)
2 What domains newly registered in .com zone
Whether the domains were used in spamming activities after registration 8
Background
Data Statistics 1• Verisign .com domain registrations over 5 months – 12,824,401 new .com domains during March – July, 2012 – Epoch: Zone file updates every 5 minutes – Registration information • Registrars • Nameservers • Registration history 2• Spammer domains – 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March – October, 2012 (8 months) 9
Outline
Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains – Registrars and Authoritative Nameservers
• Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion
10
Infrastructure
Registrars Hosting Spammer Domains • Question: What registrars do spammers choose to register domains? The registrars ranked by the percentages of spammer domains Registrar
Spam %
1 eNom, Inc.
27.03%
2 Moniker Online Services, Inc.
19.01%
3 Tucows.com Co.
4.47%
8 OnlineNIC, Inc.
2.13%
9 Center of Ukrainian Internet Names
2.07%
10 Register.com, Inc.
Spammer All domains added domains to the zone
70%
20%
1.89%
• Confirmation*: A handful of registrars account for the majority of spammer domains *Levchenko, K. et al. Click Trajectories: End-‐to-‐End Analysis of the Spam Value Chain. 11 In Proceedings of the IEEE Symposium and Security and Privacy, 2011
Infrastructure
Spam Proportions on Registrars • Question: Do registrars only host spammer domains? Non−spammer domain counts (log scale)
10^7 GoDaddy.com, LLC PDR Ltd. d/b/a 10^6 PublicDomainRegistry.com
Tucows.com Co. eNom, Inc. Register.com, Inc. Moniker Online Services, Inc.
10^5
INTERNET.bs Corp. Bizcn.com, Inc. OnlineNIC, Inc. Trunkoz Technologies Pvt Ltd. d/b/a OwnRegistrar.com Center of Ukrainian Internet Names
10^4 1000 100
• Finding: Spammer primarily use popular registrars
10 ABSystems Inc
0
0
10
100
1000
10^4
10^5
10^6
Spammer domain counts (log scale)
10^7
12
Infrastructure
Authoritative Nameservers • Question: Do spammers use particular nameservers?
Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc
• Finding: Spammers often use the nameservers provided by the registrars 13
Outline
Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Summary
14
Spike Pattern
An Example of Bulk Registration • Question: Do spammers register domains in groups?
New domains every 5 minutes
New spammer domains every 5 minutes
• Domains registered by eNom every 5 minutes in March 5th, 2012
15
Spike Pattern
Distribution of Spammer Domain Registration • Distribution of the number of spammer domains registered within the same registrar and epoch
Only 20% of the spammer domains got registered in isolation
• Finding: Spammers perform registrations in batches
16
Spike Pattern
Modeling Registration Batch Size • Question: How to identify “abnormally large” registration batches? • Build hourly model to fit diurnal patterns • Compound Poisson to represent the customer Spike: low probability purchase behaviors
eNom, Inc., hourly window, 10AM–11AM ET 17
Spike Pattern
Registrations in Spikes
Spammer domains in spikes
42%
All domains in spikes
15%
• Finding: Spammer domains appear in spikes with a much higher likelihood
18
Outline
Talk Outline • Motivation • Registration Process and Data Collection • DNS Infrastructure Used for Spammer Domains • Detecting Registration Spikes • Domain Life-cycle Role Analysis • Conclusion
19
Life Cycle
Life Cycle Categories Renew
Available
Active (1-10 years)
Auto-Renew Grace
Redemption Grace
Pending Delete
(45 days)
(30 days)
(5 days)
Available
Re-registration
• Brand-new – The domain has never appeared in the zone before
• Re-registration – The domain has previously appeared in the zone • Drop-catch: re-registered immediately after its release
• Retread: some time elapses between a domain’s prior deletion and its re-registration
20
Life Cycle
Prevalence of Different Categories • Question: What type of domains is more likely being used in spam? Conditional probability of being a spammer domain Re-registration
In spikes
Brand-new
Drop-catch
Retread
1.01%
0.33%
1.34%
2.61%
0.37%
4.48%
• Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations 21
Life Cycle
Malicious Activities before Retread • Question: Do spammers re-register previous spammer domains? • Introspect with spam trap and blacklists before the reregistration time (October 2011 – February 2012) – Only 6.8% had appeared in a blacklist before re-registration
• Finding: Spammers re-register expired domains with clean histories
22
Life Cycle
Dormancy before Retread • Question: How long is between deletion and re-registration?
65% of retread spammer domains were deleted less than 90 days before
• Finding: Spammers have a trend to re-register domains that expired more recently
23
Summary
Takeaways • Positive actions from specific registrars could have significant impact in impeding spammer domain registrations • Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches • In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history
24
Summary
Summary • We studied the fine-grained domain registration of .com zone over a 5-month period • Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones • Next steps – Develop a detector against spammer domains at registration time – Investigate further the reasons of spammer registration strategies http://www.cc.gatech.edu/~shao
25
