Learning from Authoritative Security Experiment Results

The 2017 LASER Workshop

Open-source Measurement of Fast-flux Networks While Considering Domain-name Parking

Leigh B. Metcalf, Dan Ruef, Jonathan M. Spring

Software Engineering Institute, Carnegie Mellon University

Abstract

Background. Fast-flux is a technique malicious actors use for resilient malware communications. In this paper, domain parking is the practice of assigning a nonsense location to an unused fully-qualified domain name (FQDN) to keep it ready for “live” use. Many papers use “parking” to mean typosquatting for ad revenue. However, the original usage of “domain parking” is our use, which was relevant because it is a potentially confounding behavior for detection of fast-flux. The internet-wide prevalence of fast-flux networks and the extent to which domain parking confounds fast-flux detection have not been publicly measured at scale.

Method. We examine over five years of a large passive-DNS data source. We use an open-source implementation that identifies suspicious associations between FQDNs, IP addresses, and ASNs as graphs. We detect parking via a simple time-series of whether a FQDN advertises itself on IETF-reserved private IP space and public IP space alternately. Whitelisting domains that use this IP space for encoding non-DNS responses (e.g. blacklist distributors) is important for accurate results.

Results. Fast-flux is common, with 10M IP addresses and 20M FQDNs commonly in fast-flux networks daily. Domain parking, in our sense, is uncommon (94,000 unique FQDNs over five years) but exists mostly independent of fast-flux. Our open-source tool works well even at internet-scale.

Discussion. Real-time detection of fast-flux networks could help defenders better interrupt their operation. With our implementation, a resolver could potentially block name resolutions that would add to a known flux network if completed, preventing even the first connection to some fast-flux domains. Parking is a poor indicator of malicious activity, but seems unlikely to confound fast-flux detection.

Important Dates

04/18 Call for Papers
07/15 Submissions Due
09/01 Authors Notified
09/11 Registration Open
          Accepting Student Grant Apps
09/15 Program Announced
09/29 Student Grant Application Deadline
09/22
Hotel reservation deadline
09/29 Pre-workshop papers due
*** EXTENDED ONE WEEK
10/07 Early Bird Registration Closes
*** EXTENDED ONE WEEK
10/18-10/19 Workshop
11/22 Final Papers Due

Apply for student travel grant LASER Venue

Important Links

LASER Workshop Home

Past Workshops

LASER Mailing List

Further Information

If you have questions or comments about LASER, or if you would like additional information about the workshop, contact us at: info@laser-workshop.org.

Join the LASER mailing list to stay informed of LASER news.