1 / 9

Can DNS Blacklists Keep Up With Bots?

Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech. Can DNS Blacklists Keep Up With Bots?. Background. DNS-based Blacklists The most prevalent network-level spam filtering mechanism today

yoshe
Download Presentation

Can DNS Blacklists Keep Up With Bots?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech Can DNS Blacklists Keep Up With Bots?

  2. Background • DNS-based Blacklists • The most prevalent network-level spam filtering mechanism today • Various criteria: open relays/proxies, virus senders, bad/unused address spaces etc. • Hundreds of DNSBLs of all sizes • Two distinct issues • Detection • First opportunity to classify an IP/message • Response • How long it takes after detection for blacklisting to occur

  3. Effectiveness of A DNSBL – Pertinent Questions • What is the responsivenessof the DNSBL? • An important metric, esp. with the proliferation of spam hosts with dynamic IPs (botnets) • What is the completenessof the DNSBL? • How many distinct domainsare targeted before blacklisting happens? • Does frequency of spam from a host change after it is blacklisted?

  4. A Model of Responsiveness • Response Time • Difficult to calculate without “ground truth” • Can still estimate lower bound Possible Detection Opportunity Infection Time S-Day RBL Listing Response Time Fig: Conceptual life-cycleof a spamming host

  5. Our Approach • Data: • 1.5 days worth of packet captures of DNSBL queries from a mirror of Spamhaus • 46 days of pcaps from a hijacked C&C for a Bobax botnet; overlaps with DNSBL queries • Method: • Monitor DNSBL queries for lookups for known Bobax hosts • Look for first query (S-Day or Detection opportunity approximation) • Look for the first time a query respose had a ‘listed’ status (RBL Listing approximation)

  6. Preliminary Results • Observed 81,950 DNSBL queries for 4,295 (out of over 2 million) Bobax IPs • Completeness: Only 255 (6%) Bobax IPs were blacklisted through the end of the Bobax trace (46 days) • Responsiveness: • 88 IPs became listed during the 1.5 day DNSBL trace • 34 of these were listed after a single detection opportunity

  7. Domains Performing Lookups • Over 60% are queried by just one IP/AS • Increases response time (i.e., decreases chances of getting reported) CDF Distinct IP addresses/domains

  8. Conclusion • DNSBL responsiveness is relatively unstudied • Proposal for a Model of Responsiveness • Points to ponder: Blacklist responsiveness and its effects • Preliminary results: • Responsiveness might be low • 60% bots target just one domain • Future work: • Changes in spamming frequency pre/post blacklisting • Reanalyze with complete DNSBL lookups; other spamming bot data

  9. Questions?

More Related