Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
REMEDI3S-TLD: Reputation Metrics
Design to Improve Intermediary
Incentives for Security of TLDs
A project in collaboration...
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
Agenda
•  REMEDI3S-TLD
•  Security incidents
•  Types of security metrics
•  Security metrics for TLDs
•  Security metrics...
Security incidents
•  Blacklists
•  APWG
•  Shadowserver (botnet C&C, Sandbox URLs, etc.)
•  ESET, Sophos, Fortinet
•  Goo...
Types of security metrics
•  Different layers of security metrics:
•  Top Level Domains (TLDs)
•  Market players related t...
Security metrics for TLDs
•  Size estimate for different market players, e.g. TLDs
•  Problem: access to zone files of all...
•  Type of reputation metrics
•  Problem: estimation of the amount of badness
•  Solutions (TLDs):
a)  Number of unique do...
•  Type of reputation metrics
•  Problem: up-times of maliciously registered/compromised domains
•  Solutions:
a)  DNS-bas...
Results
•  Estimation of the amount of badness for TLD
•  Datasets: suitability, coverage
Results
•  Estimation of the amount of badness
Results
•  Estimation of the amount of badness
Results
•  Estimation of the amount of badness
Security metrics for hosting providers
1.  Count badness per AS across different data sources
2.  Normalize for the size o...
3.  Rank ASes on amount of badness
4.  Aggregate rankings (Borda count)
5.  Identify ASes with consistently high concentra...
Practical application
•  Incentive structures that drive the DNS
ecosystem
•  “Clean Netherlands”: Enhance self cleansing
...
Summary
•  REMEDI3S-TLD
•  Security metrics for TLDs
•  Security metrics for hosting providers
•  Practical application
ACKNOWLEDGEMENTS
The research leading to these results
was funded by SIDN (www.sidn.nl)
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives
DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives
Upcoming SlideShare
Loading in …5
×

DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives

437 views

Published on

Intermediaries such as registries, registrars, DNS providers and hosting providers are responsible for the security of domains. However, it can be hard to hold any one of them directly responsible for any domain. In this presentation, we analyze the interplay between these four actors. We also provide some evidence that the concentrations of maliciously registered and hacked domains are due to some attackers’ profit maximizing behaviors such as abusing free hosting and domain registration services, hacking more easily available targets like shared hosting, and hosting a few resilient name server.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives

  1. 1. REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczy ski Delft University of Technology Contact: maciej.korczynski@tudelft.nl DHPA Techday 21 May 2015, The Hague
  2. 2. REMEDI3S-TLD
  3. 3. REMEDI3S-TLD
  4. 4. REMEDI3S-TLD
  5. 5. REMEDI3S-TLD
  6. 6. Agenda •  REMEDI3S-TLD •  Security incidents •  Types of security metrics •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application •  Summary
  7. 7. Security incidents •  Blacklists •  APWG •  Shadowserver (botnet C&C, Sandbox URLs, etc.) •  ESET, Sophos, Fortinet •  Google's Safe browsing appeals •  Malware Must Die •  Phishtank •  Zeus tracker •  Dutch child pornography hotline •  Etc. •  Farsight security (dns-db)
  8. 8. Types of security metrics •  Different layers of security metrics: •  Top Level Domains (TLDs) •  Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers •  Network resources managed by each of the players, such as resolvers, name servers
  9. 9. Security metrics for TLDs •  Size estimate for different market players, e.g. TLDs •  Problem: access to zone files of all TLDs •  Solution: zone files, APWG reports, DNS-DB
  10. 10. •  Type of reputation metrics •  Problem: estimation of the amount of badness •  Solutions (TLDs): a)  Number of unique domains b)  Number of FQDN c)  Number of URLs Security metrics for TLDs
  11. 11. •  Type of reputation metrics •  Problem: up-times of maliciously registered/compromised domains •  Solutions: a)  DNS-based scanner b)  Content-based scanner Security metrics for TLDs
  12. 12. Results •  Estimation of the amount of badness for TLD •  Datasets: suitability, coverage
  13. 13. Results •  Estimation of the amount of badness
  14. 14. Results •  Estimation of the amount of badness
  15. 15. Results •  Estimation of the amount of badness
  16. 16. Security metrics for hosting providers 1.  Count badness per AS across different data sources 2.  Normalize for the size of the AS (in 3 ways) Abuse&Feeds& p*DNS&/&IP& Rou3ng& •  Shadow'Server'Compromise' •  Shadow'Server'Sandbox'URL' •  Zeustracker'C&Cs' •  MLAT'requests' •  APWG' •  StopBadware' •  …' ' #"Advertised"IPs" #"IPs"in"p/DNS" #"Domains"Hosted" Abuse&Mapping& Size&Mapping& •  Farsight'Security'pHDNS'Data' •  Internet'IP'RouLng'Data' ' #"Unique"Abuse"/"AS" Abuse&Maps& PhishTank' AS#1'!'"''100'' AS#2'!'"''200' MLAT' AS#1'!'"''50' AS#2'!'"''73' Size&Maps& AdverLsed'IPs' AS#1'!'"''256' AS#2'!'"''1024' 'Domains'Hosted' AS#1'!'"''23' AS#2'!'"''1232' Normaliza3on& Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' •  #"Abuse"/"Size"
  17. 17. 3.  Rank ASes on amount of badness 4.  Aggregate rankings (Borda count) 5.  Identify ASes with consistently high concentrations of badness Rank& Abuse&Ranking& PhishTank'Ranking'1' AS#1'!'"''834' AS#2'!'"''833' PhishTank'Ranking'2' AS#1'!'"''834' AS#2'!'"''833' MLAT'Ranking'1' AS#1'!'"''235' AS#2'!'"''234' MLAT'Ranking'2' AS#1'!'"''235' AS#2'!'"''234' Combine& Ranks& Sort"Rank"" High"!"Low" Borda"Count" Overall&Ranking& Borda'Count'Ranking' AS#1'!'"''2354' AS#2'!'"''1834' AS#3'!'"''1542' AS#4'!'"''1322' Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' Security metrics for hosting providers
  18. 18. Practical application •  Incentive structures that drive the DNS ecosystem •  “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by •  promoting best practices and awareness •  pressuring the rotten apples
  19. 19. Summary •  REMEDI3S-TLD •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application
  20. 20. ACKNOWLEDGEMENTS The research leading to these results was funded by SIDN (www.sidn.nl)

×