Understanding the Domain Registration Behavior of Spammers Shuang - - PowerPoint PPT Presentation

Understanding the Domain Registration Behavior of Spammers

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck

2 ¡

• Domain names represent valuable Internet resources
• Domain abuse

– Spam contains URLs leading to scam sites

• Top-level domain name: com
• Second-level domain name: bad-domain.com
• Host name: www.bad-domain.com

Overview

Domain Abuse

Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx

scam site

3 ¡

• More agile and reliable for attacks

– Domain space is very big – Domain cost is small – Not easy to detect

Overview

Spammers Exploit Domains

4 ¡

Overview

Motivation: Early Detection

Attack (Spamming) Post-attack Domain registration

– Most research focuses on activities after spam is sent – Ultimate goal: Detect spammer domains at time-of- registration rather than later at time-of-use

Spam content filtering IP blacklisting URL crawling DNS traffic analysis etc.

Problem: Window left for spam dissemination and monetization

Pre-attack

5 ¡

• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary

Outline

Talk Outline

6 ¡

Background

Domain Registration Process

Database Top-level nameservers

Update

Registry (e.g., Verisign)

manages registration database

Registrar (e.g., GoDaddy) brokers registrations Registrant

7 ¡

Background

Life Cycle Chart

Active (1-10 years) Auto-Renew Grace

(45 days)

Redemption Grace

(30 days)

Pending Delete (5 days)

Available Available

Re-registration Renew

8 ¡

Background

Data Collection

What domains newly registered in .com zone Whether the domains were used in spamming activities after registration 1

Attack (Spamming) Post-attack Pre-attack Domain registration

2

9 ¡

• Verisign .com domain registrations over 5 months

– 12,824,401 new .com domains during March – July, 2012 – Epoch: Zone file updates every 5 minutes – Registration information

• Registrars
• Nameservers
• Registration history
• Spammer domains

– 134,455 new .com domains were blacklisted later – Spam trap, URIBL, and SURBL during March – October, 2012 (8 months)

Background

Data Statistics

1 2

10 ¡

• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains

– Registrars and Authoritative Nameservers

• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion

Outline

Talk Outline

11 ¡

Infrastructure

Registrars Hosting Spammer Domains

Registrar Spam %

1 eNom, Inc.

27.03%

2 Moniker Online Services, Inc.

19.01%

3 Tucows.com Co.

4.47%

8 OnlineNIC, Inc.

2.13%

9 Center of Ukrainian Internet Names

2.07%

10 Register.com, Inc.

1.89%

• Confirmation*: A handful of registrars account for the

majority of spammer domains

• Question: What registrars do spammers choose to

register domains?

The registrars ranked by the percentages of spammer domains

Spammer domains All domains added to the zone

70% 20%

*Levchenko, ¡K. ¡et ¡al. ¡Click ¡Trajectories: ¡End-­‑to-­‑End ¡Analysis ¡of ¡the ¡Spam ¡Value ¡Chain. ¡ ¡ ¡

¡ ¡ ¡In ¡Proceedings ¡of ¡the ¡IEEE ¡Symposium ¡and ¡Security ¡and ¡Privacy, ¡2011 ¡

12 ¡

10 100 1000 10^4 10^5 10^6 10^7 10 100 1000 10^4 10^5 10^6 10^7

Non−spammer domain counts (log scale) Spammer domain counts (log scale)

Moniker Online Services, Inc. GoDaddy.com, LLC ABSystems Inc INTERNET.bs Corp. Tucows.com Co. Bizcn.com, Inc. Trunkoz Technologies Pvt Ltd. d/b/a OwnRegistrar.com OnlineNIC, Inc. eNom, Inc. Center of Ukrainian Internet Names PDR

• Ltd. d/b/a

PublicDomainRegistry.com Register.com, Inc.

Infrastructure

Spam Proportions on Registrars

• Question: Do registrars only host spammer domains?
• Finding:

Spammer primarily use popular registrars

13 ¡

Infrastructure

Authoritative Nameservers

• Question: Do spammers use particular nameservers?
• Finding: Spammers often use the nameservers provided

by the registrars Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc

14 ¡

• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Summary

Outline

Talk Outline

15 ¡

Spike Pattern

An Example of Bulk Registration

• Domains registered by eNom every 5 minutes in March

5th, 2012

New domains every 5 minutes New spammer domains every 5 minutes

• Question: Do spammers register domains in groups?

16 ¡

Spike Pattern

Distribution of Spammer Domain Registration

• Distribution of the number of spammer domains

registered within the same registrar and epoch

Only 20% of the spammer domains got registered in isolation

• Finding: Spammers perform registrations in batches

17 ¡

• Question: How to identify “abnormally large” registration

batches?

Spike Pattern

Modeling Registration Batch Size

• Build hourly model to fit

diurnal patterns

• Compound Poisson to

represent the customer purchase behaviors

eNom, Inc., hourly window, 10AM–11AM ET Spike: low probability

18 ¡

Spike Pattern

Registrations in Spikes

• Finding: Spammer domains appear in spikes with a

much higher likelihood

Spammer domains in spikes All domains in spikes

42% 15%

19 ¡

• Motivation
• Registration Process and Data Collection
• DNS Infrastructure Used for Spammer Domains
• Detecting Registration Spikes
• Domain Life-cycle Role Analysis
• Conclusion

Outline

Talk Outline

20 ¡

Life Cycle

Life Cycle Categories

• Brand-new

– The domain has never appeared in the zone before

• Re-registration

– The domain has previously appeared in the zone

• Drop-catch: re-registered immediately after its release
• Retread: some time elapses between a domain’s prior

deletion and its re-registration

Active (1-10 years) Auto-Renew Grace

(45 days)

Redemption Grace

(30 days)

Pending Delete (5 days)

Available Available

Re-registration Renew

21 ¡

Life Cycle

Prevalence of Different Categories

Conditional probability of being a spammer domain

• Question: What type of domains is more likely being used

in spam?

In spikes Drop-catch Retread

1.01% 0.33% 1.34%

Brand-new

2.61% 0.37% 4.48%

• Finding: Spammers commonly re-register expired

domains, especially when performing bulk registrations

Re-registration

22 ¡

Life Cycle

Malicious Activities before Retread

• Question: Do spammers re-register previous spammer

domains?

• Introspect with spam trap and blacklists before the re-

registration time (October 2011 – February 2012)

– Only 6.8% had appeared in a blacklist before re-registration

• Finding: Spammers re-register expired domains with

clean histories

23 ¡

Life Cycle

Dormancy before Retread

65% of retread spammer domains were deleted less than 90 days before

• Question: How long is between deletion and re-registration?
• Finding: Spammers have a trend to re-register

domains that expired more recently

24 ¡

• Positive actions from specific registrars could have significant

impact in impeding spammer domain registrations

• Pay attention to bulk registrations: spammers find economic

and/or management benefit to register domains in large batches

• In addition to generating names, spammers take advantage of

re-registering expired domains, that originally had a clean history

Summary

Takeaways

25 ¡

• We studied the fine-grained domain registration of .com

zone over a 5-month period

• Registration patterns have powers for distinguishing

spammer domains, but no striking signal that separates good domains from bad ones

• Next steps

– Develop a detector against spammer domains at registration time – Investigate further the reasons of spammer registration strategies

Summary

Summary

http://www.cc.gatech.edu/~shao