3 Sep 2019 to 24 Feb 2020 Colin Strutt Dave Piscitello ECAINA - - PowerPoint PPT Presentation

Exposing Criminal Abuse of Internet Names and Addresses – Proof of Concept 3 Sep 2019 to 24 Feb 2020

Colin Strutt Dave Piscitello

ECAINA Proof of Concept

◼ Feasibility study begun 3 September 2019

⧫ Gathering daily blocklist data for 23 TLDs ⧫ Identifying the associated registrar from available domain name registration data

◼ Augmenting with data from other sources (where available)

⧫ Whois, RDAP, Team Cymru, dns.coffee, etc.

◼ Analysis of blocklist and Whois data for each TLD on each day:

1. # domain names on blocklist; “sponsoring” registrar 2. # domain names added to blocklist each day; “sponsoring” registrar 3. # domain names removed from the blocklist each day

◼ Demonstrating the value and viability of ECAINA

⧫ Observed relationships between turnover, bulk registration, and blocklisting “spikes” and well-recognized patterns of criminal behavior

2

Number of Names on Each TLD’s Blocklist

4

5,000 10,000 15,000 20,000 25,000 9/3/2019 9/6/2019 9/9/2019 9/12/2019 9/15/2019 9/18/2019 9/21/2019 9/24/2019 9/27/2019 9/30/2019 10/3/2019 10/6/2019 10/9/2019 10/12/2019 10/15/2019 10/18/2019 10/21/2019 10/24/2019 10/27/2019 10/30/2019 11/2/2019 11/6/2019 11/9/2019 11/12/2019 11/15/2019 11/18/2019 11/21/2019 11/24/2019 11/27/2019 11/30/2019 12/3/2019 12/6/2019 12/9/2019 12/12/2019 12/15/2019 12/18/2019 12/21/2019 12/24/2019 12/27/2019 12/30/2019 1/2/2020 1/5/2020 1/8/2020 1/11/2020 1/14/2020 1/17/2020 1/20/2020 1/23/2020 1/26/2020 1/29/2020 2/1/2020 2/4/2020 2/7/2020 2/10/2020 2/13/2020 2/16/2020 2/19/2020 2/22/2020 agency biz cloud co.kr com fit gdn icu info life live monster net

• rg

pet ru site tokyo top us work world xyz

2,000 4,000 6,000 8,000 10,000 12,000 9/3/2019 9/6/2019 9/9/2019 9/12/2019 9/15/2019 9/18/2019 9/21/2019 9/24/2019 9/27/2019 9/30/2019 10/3/2019 10/6/2019 10/9/2019 10/12/2019 10/15/2019 10/18/2019 10/21/2019 10/24/2019 10/27/2019 10/30/2019 11/2/2019 11/6/2019 11/9/2019 11/12/2019 11/15/2019 11/18/2019 11/21/2019 11/24/2019 11/27/2019 11/30/2019 12/3/2019 12/6/2019 12/9/2019 12/12/2019 12/15/2019 12/18/2019 12/21/2019 12/24/2019 12/27/2019 12/30/2019 1/2/2020 1/5/2020 1/8/2020 1/11/2020 1/14/2020 1/17/2020 1/20/2020 1/23/2020 1/26/2020 1/29/2020 2/1/2020 2/4/2020 2/7/2020 2/10/2020 2/13/2020 2/16/2020 2/19/2020 2/22/2020 agency biz cloud co.kr fit gdn icu info life live monster net

• rg

pet ru site tokyo top us work world xyz

Number of Names Added to Each TLD’s Blocklist

.us, 14 Oct 10,516 names

5

.icu, 6 & 9 Feb 7,426 & 8,779 names

Registrars with High Proportion of Blocked Domains

◼ 18 Feb shows

⧫ 4,386 names added to .icu ⧫ 1,132 added to .site

◼ Many names exhibit a common pattern – 6 random alpha characters ◼ These registrars account for names added that day for all 23 TLDs:

6

Registrar Count

ERANET INTERNATIONAL LIMITED 5,448 GMO Internet, Inc. d/b/a Onamae.com 164 NameCheap, Inc. 48 GoDaddy.com, LLC 25 NameSilo, LLC 12 ... and 28 other registrars 53

18 Feb: 6-α Names Added to Blocklists 4,355 to .icu & 1,094 to .site

aaddxs aaeazr aagylz aahhad aaiqwi aaiyzp aakmvx aaleol aaniox aapbev aapvyh aasxxy aavzgg aazosu abehgh abewbu abezzk abfzvj abhpnd abiuya abiuzm abnupx abpbwg abqgug aburmd abuwbb abvbpc abwbmz abwvhz abyriu acbhsz acctdq acejkm acfdza acgbsh acjxve aclopd acmmpr acqaac acqieb acrsnr actdyc acxouq acyzev adcxhj adimin adkvim adltcj admrrl adntvf adoocl adrcwt aducad adxibm adzeia adzzos aeadab aeaqow aecivq aeerue aehzxs aekcyw aeogvx aeovcf aerhzk aesors aetqfo aevbir afakbv afaofy afenbl affkvc affqvn afgzfj afhcwg afkmij afnley afqdmc afqorj afszyl afxrng afxxag afyabs afyauc afyvwn agengu aggdvb aggxet agilsk agjzbq agkqsq agpjqn agrhbk agsdgl agsqcw agwzau agypig agyuko ahbtdu ahcmoe ahcvhq ahetga ahewyq ahhhbc ahiaky ahjmvb ahmpzq ahowhq ahyiod aiaeph aibpow aicgkm aidepv aiditm aidscm aielok aiidbe aijftc aikkbu aikzdb ailxqy ainmwx aipdgm aiqpla airzbh aisbsq aitxww aiuzrs aivvhr aixfou aizrni ajgtzv ajhsos ajhukr ajkgep ajkjau ajqsix ajrudr ajtkva ajwaqx ajztcm akkkjh akmjpw akoayb aktfrq akttyd akvvlj akztdv akzuto alaoev alekxl algsge alhglk alnaou alntim alpmxm alpqsy alqywg alrcox alsqcc alusju alwqyf alzamo amgqss amhakd amhdaz amjopa amjzbx amnlca amqqqy amrbkz amwcxz amzwsm anajaw anesyt anhepl anjgbm annxce anrlsc anucgh anvbjn anwebe anykhs anyysh anzqke aocmvq aocucv aodiwx aofpiw aogyuq aojznw aoosqk aoumuh aounto aouwts aovcws aowpnt apajtd apiavv apimyw apjioo apjotn apkmlj aplagx apnzjn apokor apsgxn aptglv apufvc apxbwm apxhcy apyqvw apzjbs aqbcjg aqbsvg aqciuf aqdexk aqevbd aqeytv aqgudh aqhbpw aqhcgz aqhhfe aqjmwz aqklbl aqpqht aqqpcs aqrzxv aqtbra aqubae aqvaof ararwj arclkg arejzp arfjwa arfqgt arfspu arhdbn arhwfh arihga arivkj arjhmz arlexz armidr arnxoz arqpsv artfwb arusmo arvgqx arwcmw aslhlt asmwav asodms asoxxw aspbtg asphih assoja asvmih asxqds asyndx atbasu atblcz atizrx atjatn atjrif atjygy atnvan atqnnl atquau atrrhy atrsps atsjxf atvrii atvsai atvvvw atywzv atyziy atzbub auezwq aufbhe auhlwj auirig aujfxz auketk aumnok auohsz aupavf auqfxh aurfyu aussrx ausvgn autfkn autupx auuavb auwzri auxksf avdfth avitoo avkdop avkwlo avmbdj avrdra avribs avrnvo avrtrx avsbqn avskdw avuggm avuqnw avwmrq avwvgp avxmmd avxtll awbypc awcpmq awcyxn awerag awmavn awmelo awmxce awpxjg awsheu awsmyq awumhn awunxy awuvmk awuyjt awwkot awycmi axcxww axfbnt axihki axiyzt axjsyi axkozd axlpji axmnof axnxkw axpboa axqreb axqruc axsmim axtpkv axtxvy axurvr axzhuo ayahun aybrux ayczsy ayddla aygirf aygmbp ayildl aymfxf aymski ayqjuu ayrobe ayyaat azbtqh azidjm aziwmc azlsrx azmewz azsyml azthqg azttxy azyikh azzeze baabzz babjsw babwli baeobz bafvpb baianr baithl bajnun bajumm bakfez balddt banaxp batkpr batvkf batyfk bavbrv bawubh baxrkc bbaqrb bbawbl bbgbix bbgwph bbjtgm bbjvcr bbmghs bbmrqs bbqfqu bbtekl bbutcv bbwzad bbxemq bbxjsm bbyfpx bcajyy bcarug bcbpmb bccmbf bcdglj bckqwy bckscs bclmll bcsqon bctjtc bcuajz bculmt bcvdli bcxvve bdanan bdbgzf bddfnh bddtgi bdfbom bdfnxr bdkdqm bdpkni bdtecx bdtlvi bdtvuf bdyldw bebedl bedzuj befnwy begqrp bekzot bemcwh bemzfm bencps benwpb berypo bewkyy bezdsf bfahxs bfbhmx bfcbqk bfcpiy bfgcap bfibzw bfkaoi bfolhp bfpldp bfuiyh bfuwfd bfvqde bfvzbp bfwjew bfyebl bfygva bfypmv bgbent bgcfhv bgcypm bgfbrw bggdrk bgjmbq bgllaz bgnjmf bgpsen bgqusr bgqzbq bgreym bgrrcl bgruax bgsmqk bgsvsq bgvwfn bgzfcv bhalpb bhdgfg bhdtbd bhegrf bheueq bhgone bhjgrs bhjsvk bhmbhk bhphpk bhqwpr bhrbik bhsmsi bhtqhq bhuaqp bhwcgp bhwlrk bhwuhc bhxveb bibwru bicefi bicmih bidlzt bihhga biiipg biobnk bisemi biuegl biuitb bizrww bjattw bjdwnz bjecgi bjelth bjgxsx bjhqur bjjxfi bjooct bjpotv bjpynl bjrwtg bjumaz bjvual bkaybs bkbnwv bkdovs bkdpim bkjghe bkkvsc bklhwk bkpjuc ysiulw ysswen ytnbdq yumpyw yvrmld yxipbq yyilti yzeeqw yzxcsn yzxlft yzzrko zaevyr zbsman zbtqbj zcvszl zgpqpu zhcxfo zhimqb zifxpn zkpuwk zmmbtm zmyjlg zphdph zqxllw zrhnck zrwvbe zsqsms ztpgre zuodtj zvfwsn zwbcux zwyoyq zyrrys zyxiff zzbavz

···

7

14 October – 10,516 Names Added to .us Blocklist

01fl9z 01py42 02gtn1 02joer 0317gm 034wo8 047pip 048bfu 049eql 04bqda 04dtr9 04otrs 058dax 05cfis 05h3tx 05kbpy 05ourk 05vbdo 05vmdi 06mwpx 07ebdo 07ktun 081uq5 082asy 08phqx 09feqg 09nb2a 09w8yh 09zzc4 0aaior 0aec3m 0afxwz 0ahncl 0amepc 0ammbh 0bgisc 0bhqex 0bkpju 0brnlo 0c2wmp 0cb1o3 0cbik6 0cenf4 0chmtp 0chyql 0ck65z 0cmddq 0cornp 0cyxbl 0d3q2g 0d4ayv 0d6gml 0dm5hn 0duz8q 0dzwfo 0e2lrg 0eganq 0enwfg 0es5oz 0ess1k 0faari 0foksf 0gd9bf 0gia1m 0gim9b 0gjswb 0gjvxp 0gklqr 0gnnt9 0gtkue 0guvdk 0h4blq 0h4ofm 0hfbkg 0hiep1 0hl5vh 0hlc3x 0hmdi2 0hmdiu 0iilt4 0j5mer 0jef9e 0jh2vh 0jhtex 0jjzqc 0joebq 0juxgq 0jvtes 0kjboo 0kngxi 0kwngu 0kxtzj 0lcosd 0lezti 0lhlgs 0lnajf 0lqpph 0lrgre 0lvdaw 0mbvys 0mi31c 0mm2de 0nbd8d 0nfegu 0ogm1f 0olerp 0on1yf 0oqq1x 0oxcwz 0oyjgo 0p6zxx 0pun6d 0q5ger 0q6frx 0q9ity 0qaf4b 0qfuof 0qrqeu 0qtl67 0qyrcj 0r6tbq 0rmgbe 0rpimy 0rpmyl 0rv1f8 0rxnru 0sbtxd 0senfy 0sgonf 0slxkr 0sogh3 0sq6ie 0sxqqu 0szzsa 0t8acb 0t9pfs 0tfks6 0tgque 0tjx8h 0u5k7v 0unbec 0uradt 0urq3q 0uta83 0uzprk 0v5dfu 0vqc2r 0vxhat 0vxnkw 0w6jyz 0w7knj 0wu4kl 0wz5tr 0x1qiw 0x63s4 0x6a7o 0xaaub 0xeil1 0xo5yn 0xrpvu 0xx3hk 0y8n4q 0ycepx 0yeapq 0yi3nm 0yiobn 0yxwkl 0zcues 0zelby 0ziu9u 0zmkya 0zreem 0zvms9 0zwgx9 10g8ki 12dggb 13mp4u 14fjnq 14fkid 14quhf 14zvhy 15bj8p 15soim 15topm 16bhoj 16jsrg 16oldc 16onzh 17hed6 17mkzd 17usze 18kvrq 18mmn2 19betq 19rlft 19tutk 19vpjn 19wiqd 1a7wmt 1aaymn 1akyt8 1asirm 1bcg2o 1bg94j 1blmny 1bslan 1bukmx 1bw9f8 1cahhd 1cb4ko 1cbxpw 1ciuwl 1cjqrg 1ckggh 1cnkef 1coswo 1coznb 1devil 1dey2n 1dgr4p 1dioyr 1dph6j 1dv5vq 1e9jbj 1eabcv 1eqjju 1eu4lp 1f0hln 1f4o67 1f5c3b 1fbdhn 1fo7tv 1fottc 1fri3d 1fryuk 1fvysa 1fy4bd 1getts 1ghxzy 1gyexj 1h6icu 1hbglt 1hfluh 1hhqna 1hjat2 1hpbxt 1i7ryf 1iaqnp 1igeop 1igqmr 1ipdax 1j2v0p 1jgsyq 1jikfz 1jm4cp 1jyawi 1k2kvp 1kbpgd 1kdu98 1kvvet 1kyfgu 1lae98 1lkesp 1lna7l 1lpm8e 1lupth 1m08dx 1m8vkd 1m9bo8 1mg3ha 1micki 1mqdsx 1mupiw 1mvofp 1n2xo5 1nfexj 1ngw50 1nr5sy 1o4m2i 1ojyrx 1omb8j 1ozlxj 1ozmz6 1pridj 1pseyq 1pxrsn 1q3ptz 1q3thg 1qllzn 1qra03 1raqpw 1rb2gu 1rbtu4 1ribqz 1rygkd 1s7kn0 1slbol 1sw9ar 1tfvbb 1tihrp 1tkyev 1tn29j 1tnhkw 1tpblj 1txwra 1tycqx 1ueqgd 1ukude 1uo8iy 1urwba 1usqrj 1uvxmd 1uzwhl 1vgxt9 1vwkoc 1w0ied 1wfsks 1whdgb 1wpkre 1wr5rg 1wsvrp 1wzlxn 1xgow5 1xjjes 1y8mr7 1yanr7 1yhunx 1yjuga 1yqtjl 1z9cxe 1zcbhj 1zxyve 20zbln 21adq0 21dwzi 21ghy7 21gj9z 21ndte 21oyjn 21s8os 23mdip 23yd0z 24aro5 24cpne 25fhdd 25ikb6 25lzj3 260uwp 26vlcz 26x5na 27brhe 29jvhi 2adoqi 2akoul 2anwem 2arqez 2azznj 2b8n3q 2befys 2bggcd 2bir8b 2blqhm 2blukk 2bpivj 2bqo0x 2bsidd 2bultj 2bxszf 2canrt 2cmwk9 2dbh71 2dm1hd 2dqfjn 2dwyn7 2dzvpw 2e1zvh 2ecpom 2ejalk 2epwfb 2ercji 2etrfa 2etvis 2eymrl 2f0wxk 2fersd 2fnrye 2fsvyg 2g4eus 2ga3oe 2gdehd 2gi6jq 2glrum 2guqot 2gwvif 2ihrhe 2irkap 2izmeu 2jdj9v 2jgzqt 2jkozr 2jqv3h 2jsukg 2jwtbh 2kkzhj 2knpu8 2l7dky 2lgawo 2lgayw 2lh1gv 2limoc 2m9zho 2mcer1 2mfda6 2mktqo 2mqbvz 2mwcld 2mxo1l 2mzaxq 2nhlrn 2o0lov 2o1mfa 2o9fkd 2oaobn 2ocuye 2odsd0 2ofeyj 2omalh 2osplf 2pizlu 2pntiq 2pvxdo 2px0et 2pxnr0 2pxogx 2qjalh 2qkvtc 2qpthe 2r8ttl 2rcmci 2rfbhp 2rjxvu 2rknin 2rkwug 2rspug 2rtm13 2rxhfn 2s1elx 2sdryw 2si9ts 2sndla 2somkm 2sprjd 2strin 2t7pvz 2tbspk 2tefgz 2tj5vf 2tjnam 2tnify 2tuev3 2tzfqn 2tzmd7 2tzuhm 2ubxm6 2ud43l 2ufozp 2up8cg 2uuvfz 2uvn1g 2uxdh3 2uz7dm 2vdwcg 2vfcjy 2vrno7 2wpdwh 2wrvwi 2x4ct9 2x8jlc 2xj59t 2xouvk 2xv1pi 2xwqmf 2ylexc 2ysyu5 2ytahr 2yzkip 2z37mp 2zamxh 2zfivy 2zil5a 2zjp9s 2zpqh4 2zsbs5 30dtrs 30kil9 30pm2n 31oizc 326mbg 329rxj 32znio 34hagr 34opqr 34rhps 34sgyb 34v6fo 358hx2 35j01w 35jly4 35qcmb 36hvuq 36mgrp 36naqh 36zdwc 37ieeb 37ksrr 37upab 384vwt 38ktvt 38qe1m 38rper 3aa8rp 3afsfu 3ao2zr 3atdol 3awnhp zwscho zwuhqg zwuqvh zwxoy6 zx2hwj zxd2gj zxe1ds zxhixb zxhpwa zxjaib zxmion zxnmer zxpnva zxppcl zxrgfh zxtoh5 zxvamd zxy3kl zy4nw0 zy5wco zy61nk zyabti zyapks zyfota zyogai zytotn zyvlss zyw7k5 zz7yld zzf38l zzgktf zzlbeu zzojwa zzr3fs zzryek

···

8

5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 9/3/2019 9/6/2019 9/9/2019 9/12/2019 9/15/2019 9/18/2019 9/21/2019 9/24/2019 9/27/2019 9/30/2019 10/3/2019 10/6/2019 10/9/2019 10/12/2019 10/15/2019 10/18/2019 10/21/2019 10/24/2019 10/27/2019 10/30/2019 11/2/2019 11/6/2019 11/9/2019 11/12/2019 11/15/2019 11/18/2019 11/21/2019 11/24/2019 11/27/2019 11/30/2019 12/3/2019 12/6/2019 12/9/2019 12/12/2019 12/15/2019 12/18/2019 12/21/2019 12/24/2019 12/27/2019 12/30/2019 1/2/2020 1/5/2020 1/8/2020 1/11/2020 1/14/2020 1/17/2020 1/20/2020 1/23/2020 1/26/2020 1/29/2020 2/1/2020 2/4/2020 2/7/2020 2/10/2020 2/13/2020 2/16/2020 2/19/2020 2/22/2020 agency biz cloud co.kr fit gdn icu info life live monster net

• rg

pet ru site tokyo top

Cumulative Blocked Domains (excluding .com)

.us

10

.icu

Blocked Names Often Get Blocked Again

(excludes .com; this month)

11

200 400 600 800 1,000 1,200 1,400 1,600 agency biz cloud co.kr fit gdn icu info life live monster net

• rg

pet ru site tokyo top

.fit, .work, .xyz 23 Feb

Top 10 Subnets for Blocked Domains (23 Feb)

Subnet Owner Occurrences

3.208.0.0/12 Amazon AWS 1,569 3.80.0.0/12 Amazon AWS 549 34.192.0.0/12 Amazon AWS 263 18.232.0.0/14 Amazon AWS 262 3.224.0.0/12 Amazon AWS 155 54.80.0.0/14 Amazon AWS 134 160.181.224.0/19 ZA 115 49.156.160.0/19 Ace, Inc., JP 100 104.238.196.0/24 Infiltrate, LLC, US 99 116.50.32.0/20 TW 93

12

Top 10 AS for A Addresses (23 Feb)

ASN AS Occurrences

14618 AMAZON-AES - Amazon.com, Inc. 3,012 16509 AMAZON-02 - Amazon.com, Inc. 232 13335 CLOUDFLARENET - CloudFlare, Inc. 144 26496 AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC 143 137443 ANCHGLOBAL-AS-AP Anchnet Asia Limited, HK 117 40034 CONFLUENCE-NETWORK-INC - Confluence Networks Inc 108 56291 ACE-AS-AP Ace, Inc. 107 22612 NAMECHEAP-NET - Namecheap, Inc. 107 396932 HOSTINSANITY, US 99 18046 DONGFONG-TW DongFong Technology Co. Ltd. 93

13

Top 10 AS for NS Addresses (23 Feb)

ASN AS Occurrences

14618 AMAZON-AES - Amazon.com, Inc. 6,020 38283 CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center 722 4134 CHINANET-BACKBONE No.31,Jin-rong Street 604 16509 AMAZON-02 - Amazon.com, Inc. 582 26496 & 44273 GO-DADDY-COM-LLC, US, GODADDY-DNS, CH 532 13335 CLOUDFLARENET - CloudFlare, Inc. 452 55002 DEFENSE-NET - Defense.Net, Inc 402 2519 VECTANT VECTANT Ltd. 368 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 284 133119 UNICOM-CN China Unicom IP network, CN 240

14

Challenges

◼ Unavailability/reliability of Whois data ◼ Unavailability of RDAP data ◼ Rate limiting – e.g., Whois, dns.coffee ◼ Timing of Whois/RDAP data vs. appearance on blocklist ◼ Registrar names are not canonical

15

ECAINA … Exposing Criminal Abuse

• f Internet Names and Addresses

Questions?

16