100 likes | 234 Views
Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech. Can DNS Blacklists Keep Up With Bots?. Background. DNS-based Blacklists The most prevalent network-level spam filtering mechanism today
E N D
Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech Can DNS Blacklists Keep Up With Bots?
Background • DNS-based Blacklists • The most prevalent network-level spam filtering mechanism today • Various criteria: open relays/proxies, virus senders, bad/unused address spaces etc. • Hundreds of DNSBLs of all sizes • Two distinct issues • Detection • First opportunity to classify an IP/message • Response • How long it takes after detection for blacklisting to occur
Effectiveness of A DNSBL – Pertinent Questions • What is the responsivenessof the DNSBL? • An important metric, esp. with the proliferation of spam hosts with dynamic IPs (botnets) • What is the completenessof the DNSBL? • How many distinct domainsare targeted before blacklisting happens? • Does frequency of spam from a host change after it is blacklisted?
A Model of Responsiveness • Response Time • Difficult to calculate without “ground truth” • Can still estimate lower bound Possible Detection Opportunity Infection Time S-Day RBL Listing Response Time Fig: Conceptual life-cycleof a spamming host
Our Approach • Data: • 1.5 days worth of packet captures of DNSBL queries from a mirror of Spamhaus • 46 days of pcaps from a hijacked C&C for a Bobax botnet; overlaps with DNSBL queries • Method: • Monitor DNSBL queries for lookups for known Bobax hosts • Look for first query (S-Day or Detection opportunity approximation) • Look for the first time a query respose had a ‘listed’ status (RBL Listing approximation)
Preliminary Results • Observed 81,950 DNSBL queries for 4,295 (out of over 2 million) Bobax IPs • Completeness: Only 255 (6%) Bobax IPs were blacklisted through the end of the Bobax trace (46 days) • Responsiveness: • 88 IPs became listed during the 1.5 day DNSBL trace • 34 of these were listed after a single detection opportunity
Domains Performing Lookups • Over 60% are queried by just one IP/AS • Increases response time (i.e., decreases chances of getting reported) CDF Distinct IP addresses/domains
Conclusion • DNSBL responsiveness is relatively unstudied • Proposal for a Model of Responsiveness • Points to ponder: Blacklist responsiveness and its effects • Preliminary results: • Responsiveness might be low • 60% bots target just one domain • Future work: • Changes in spamming frequency pre/post blacklisting • Reanalyze with complete DNSBL lookups; other spamming bot data