Publications on lordievader's blog

Proactive Threat Detection: A DNS based approach

Mon, 26 Sep 2022 00:00:00 +0200

The second publication for the TIDE project. It has received the Best Paper Award at NOMS 2018.

Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.

Slides of the presentation are available here: pdf

Title	Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains
Authors	Olivier van der Toorn, Roland van Rijswijk-Deij, Bart Geesink, Anna Sperotto
Publication date	2018/4/23
Conference	NOMS 2018

ANYway: Measuring the Amplification DDoS Potential of Domains (preprint)

Fri, 17 Sep 2021 01:00:00 +0100

DDoS attacks threaten Internet security and stability, with attacks reaching the Tbps range. A popular approach involves DNS-based reflection and amplification, a type of attack in which a domain name, known to return a large answer, is queried using spoofed requests. Do the chosen names offer the largest amplification, however, or have we yet to see the full amplification potential? And while operational countermeasures are proposed, chiefly limiting responses to ‘ANY’ queries, up to what point will these countermeasures be effective? In this paper we make three main contributions. First, we propose and validate a scalable method to estimate the amplification potential of a domain name, based on the expected ANY response size. Second, we create estimates for hundreds of millions of domain names and rank them by their amplification potential. By comparing the overall ranking to the set of domains observed in actual attacks in honeypot data, we show whether attackers are using the most-potent domains for their attacks, or if we may expect larger attacks in the future. Finally, we evaluate the effectiveness of blocking ANY queries, as proposed by the IETF, to limit DNS-based DDoS attacks, by estimating the decrease in attack volume when switching from ANY to other query types. Our results show that by blocking ANY, the response size of domains observed in attacks can be reduced by 57%, and the size of most-potent domains decreases by 69%. However, we also show that dropping ANY is not an absolute solution to DNS-based DDoS, as a small but potent portion of domains remain leading to an expected response size of over 2,048 bytes to queries other than ANY.

Title	ANYway: Measuring the Amplification DDoS Potential of Domains
Authors	Olivier van der Toorn, Johannes Krupp, Mattijs Jonker, Roland van Rijswijk-Deij, Christian Rossow, and Anna Sperotto
Publication date	October 2021
Journal	17th International Conference on Network and Service Management (CNSM 2021)

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records

Tue, 01 Sep 2020 01:00:00 +0100

The DNS TXT resource record is the one that without doubt provide users with the most flexibility of content, as it is a largely unstructured. Although it might be the ideal basis for storing any form of text-based information, it also poses a security threat, as TXT records can also be used for malicious and unintended practices. Yet, we reckon that TXT records are often overlooked in security research. In this paper, we present the first structured study of the uses of TXT records, with a specific focus on security implications. We are able to classify over 99.54% of all TXT records in our dataset, finding security issues including accidentally published private keys and exploit delivery attempts. We also report our lessons learned while dealing with a large-scale, systematic analysis of TXT records.

Title	TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records
Authors	Olivier van der Toorn, Roland van Rijswijk-Deij, Tobias Fiebig, Martina Lindorfer, and Anna Sperotto
Publication date	September 2020
Journal	5th International Workshop on Traffic Measurements for Cybersecurity (WTMC 2020)

A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

Tue, 01 Sep 2020 00:00:00 +0100

The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content. We therefore propose a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records. To achieve this, we leverage the OpenINTEL active DNS measurement platform, which performs a daily snapshot of more than 65% of the DNS namespace. In this paper, we first extend the existing Unicode homoglyph tables (confusion tables). This allows us to detect on average 2.97 times homograph domains compared to existing tables. Our proactive detection of suspicious IDN homograph domains provides an early alert that would help both domain owners as well as security researchers in preventing IDN homograph abuse.

Title	A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements
Authors	Ramin Yazdani, Olivier van der Toorn, and Anna Sperotto
Publication date	September 2020
Journal	2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

Looking beyond the horizon: Thoughts on Proactive Detection of Threats

Tue, 04 Feb 2020 10:25:00 +0100

The fourth publication for the TIDE project. The FIRST talk (see here) has been extended into a journal paper for Digital Threats: Research and Practice (DTRAP). In this paper we argue that we, as a security community, should move towards proactive security. However, we shed light on both sides of the coin. We think the ‘optimal’ way is to combine the reactive and proactive methods, to make use of the best of both worlds.

The Internet exposes us to cyberthreats attacking information, services and the Internet infrastructure itself. Such attacks are typically detected in a reactive fashion. The downside of this approach is that alerts of an attack is issued as it is happening. In this paper weadvocate that the security community could benefit by complementing traditional reactive solutions with a proactive threat detectionapproach, as this would enable us to provide early warnings by analyzing and detecting threat indicators in actively collected data. Bydescribing three use cases from the DNS domain, we highlight the strengths and limitations of proactive threat detection and discusshow we could integrate those with existing solutions.

Slides of the presentation are available here: pdf

Title	Looking beyond the horizon: Thoughs on Proactive Detection of Threats
Authors	Olivier van der Toorn, Anna Sperotto
Publication date	March 2020
Journal	ACM Digital Threats: Research and Practice (DTRAP)

Threat Identification Using Active DNS Measurements

Mon, 11 Jun 2018 00:00:00 +0200

The third publication for the TIDE project. Details more formally the research questions of this project.

The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS do- main to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, but this leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying ma- licious domains before they are used allows to pre-emptively stop an attack before it happens. We aim to accomplish this goal by analysing active DNS measurements. Via the analysis of active DNS measurements there is a window of opportunity between the registration time and the time of an attack, to identify a threat before it becomes an attack. Active DNS measurements allows us to analyse the configuration of a domain. Using the configuration of a domain we can predict if it will be used for malicious intent. Machine Learning (ML) is often used to process large datasets, because it is efficient and dynamic. This is the reason we want to use ML for the detection of malicious domains. Since our results are predictive in nature, methodology for validation of our results need to be developed. Because, at the time of the detection no ground truth is (yet) available.

Slides of the presentation are available here: pdf

Title	Threat Identification Using Active DNS Measurements
Authors	Olivier van der Toorn, Anna Sperotto
Publication date	2018/6/4
Conference	AIMS 2018

Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Thu, 03 May 2018 00:00:00 +0200

The second publication for the TIDE project. It has received the Best Paper Award at NOMS 2018.

Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.

Slides of the presentation are available here: pdf

Title	Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains
Authors	Olivier van der Toorn, Roland van Rijswijk-Deij, Bart Geesink, Anna Sperotto
Publication date	2018/4/23
Conference	NOMS 2018