More Related Content
Similar to presentation-passive-dns-mitigate-abuse-23jun14-en
Similar to presentation-passive-dns-mitigate-abuse-23jun14-en (20)
presentation-passive-dns-mitigate-abuse-23jun14-en
- 6. 0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
140501
140502
140503
140504
140505
140506
140507
140508
140509
140510
140511
140512
140513
140514
140515
140516
140517
140518
140519
140520
140521
140522
140523
140524
140525
140526
140527
140528
140529
140530
140531
140601
140602
140603
140604
140605
2014-‐06-‐20
©2014
Farsight
Security
Inc.
6
Source:
Private
Spam
Trap
- 7. 2014-‐06-‐20
©2014
Farsight
Security
Inc.
7
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
5m
10m
30m
1h
3h
12h
24h
- 8. 2014-‐06-‐20
©2014
Farsight
Security
Inc.
8
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
5m
10m
30m
1h
- 9. • 10% of spam messages use domain
names less than 10 minutes old.
• Boosts spam catch rate on domain
names <5 minutes old by 20%.
2014-‐06-‐20
©2014
Farsight
Security
Inc.
9
- 10. • Snapshot in time from the zone’s
authoritative name server.
• Only tells of new delegation points.
• Not available for most CCTLDs.
• Only available to public every 24 hours.
2014-‐06-‐20
©2014
Farsight
Security
Inc.
10
- 12. • Publishing a DNSBL, several DNS RPZs of
domain names first observed less than
24 hours ago.
domain.v1.bl.dns-nod.net
• ZFA-like dumps from passive DNS.
– Resource records from authoritative name
servers for the zone.!
2014-‐06-‐20
©2014
Farsight
Security
Inc.
12
- 13. • All domains, even legitimate ones, will
be penalized by NOD's subscribers.
• Up-front accountability would prevent
this junk at lower total cost.
• The need and demand for NOD should
embarrass the whole DNS industry.
2014-‐06-‐20
©2014
Farsight
Security
Inc.
13
- 14. • Improve accountability for new domains.
– Credit cards, whois, identity.
• Offer ZFA, including deltas, for all TLD’s.
– Even CCTLD’s.
• Improve takedown procedures.
– Consider APWG's API/process for this.
• Consider putting new domains in "pause."
• Limit NS changes to one per day.
– Exceptions only by phone.
2014-‐06-‐20
©2014
Farsight
Security
Inc.
14