SlideShare a Scribd company logo
1 of 22
Download to read offline
REMEDI3S-TLD: Reputation Metrics
Design to Improve Intermediary
Incentives for Security of TLDs
A project in collaboration with SIDN and NCSC
Maciej Korczy ski
Delft University of Technology
Contact: maciej.korczynski@tudelft.nl
DHPA Techday
21 May 2015, The Hague
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
Agenda
•  REMEDI3S-TLD
•  Security incidents
•  Types of security metrics
•  Security metrics for TLDs
•  Security metrics for hosting providers
•  Practical application
•  Summary
Security incidents
•  Blacklists
•  APWG
•  Shadowserver (botnet C&C, Sandbox URLs, etc.)
•  ESET, Sophos, Fortinet
•  Google's Safe browsing appeals
•  Malware Must Die
•  Phishtank
•  Zeus tracker
•  Dutch child pornography hotline
•  Etc.
•  Farsight security (dns-db)
Types of security metrics
•  Different layers of security metrics:
•  Top Level Domains (TLDs)
•  Market players related to the TLD (infrastructure
providers): registrars, hosting providers,
DNS service providers
•  Network resources managed by each of the
players, such as resolvers, name servers
Security metrics for TLDs
•  Size estimate for different market players, e.g. TLDs
•  Problem: access to zone files of all TLDs
•  Solution: zone files, APWG reports, DNS-DB
•  Type of reputation metrics
•  Problem: estimation of the amount of badness
•  Solutions (TLDs):
a)  Number of unique domains
b)  Number of FQDN
c)  Number of URLs
Security metrics for TLDs
•  Type of reputation metrics
•  Problem: up-times of maliciously registered/compromised domains
•  Solutions:
a)  DNS-based scanner
b)  Content-based scanner
Security metrics for TLDs
Results
•  Estimation of the amount of badness for TLD
•  Datasets: suitability, coverage
Results
•  Estimation of the amount of badness
Results
•  Estimation of the amount of badness
Results
•  Estimation of the amount of badness
Security metrics for hosting providers
1.  Count badness per AS across different data sources
2.  Normalize for the size of the AS (in 3 ways)
Abuse&Feeds&
p*DNS&/&IP&
Rou3ng&
•  Shadow'Server'Compromise'
•  Shadow'Server'Sandbox'URL'
•  Zeustracker'C&Cs'
•  MLAT'requests'
•  APWG'
•  StopBadware'
•  …'
'
#"Advertised"IPs"
#"IPs"in"p/DNS"
#"Domains"Hosted"
Abuse&Mapping&
Size&Mapping&
•  Farsight'Security'pHDNS'Data'
•  Internet'IP'RouLng'Data'
'
#"Unique"Abuse"/"AS"
Abuse&Maps&
PhishTank'
AS#1'!'"''100''
AS#2'!'"''200'
MLAT'
AS#1'!'"''50'
AS#2'!'"''73'
Size&Maps&
AdverLsed'IPs'
AS#1'!'"''256'
AS#2'!'"''1024'
'Domains'Hosted'
AS#1'!'"''23'
AS#2'!'"''1232'
Normaliza3on&
Normalized&
Abuse&
PhishTank'/'Advrt.'IPs'
AS#1'!'"''0.39'
AS#2'!'"''0.19'
PhishTank'/'Domains'
Hosted'
AS#1'!'"''4.34'
AS#2'!'"''0.16'
MLAT'/'Advrt.'IPs'
AS#1'!'"''0.19'
AS#2'!'"''0.07'
MLAT'/'Domains'Hosted'
AS#1'!'"''2.17'
AS#2'!'"''0.05'
•  #"Abuse"/"Size"
3.  Rank ASes on amount of badness
4.  Aggregate rankings (Borda count)
5.  Identify ASes with consistently high concentrations of badness
Rank&
Abuse&Ranking&
PhishTank'Ranking'1'
AS#1'!'"''834'
AS#2'!'"''833'
PhishTank'Ranking'2'
AS#1'!'"''834'
AS#2'!'"''833'
MLAT'Ranking'1'
AS#1'!'"''235'
AS#2'!'"''234'
MLAT'Ranking'2'
AS#1'!'"''235'
AS#2'!'"''234'
Combine&
Ranks&
Sort"Rank""
High"!"Low" Borda"Count"
Overall&Ranking&
Borda'Count'Ranking'
AS#1'!'"''2354'
AS#2'!'"''1834'
AS#3'!'"''1542'
AS#4'!'"''1322'
Normalized&
Abuse&
PhishTank'/'Advrt.'IPs'
AS#1'!'"''0.39'
AS#2'!'"''0.19'
PhishTank'/'Domains'
Hosted'
AS#1'!'"''4.34'
AS#2'!'"''0.16'
MLAT'/'Advrt.'IPs'
AS#1'!'"''0.19'
AS#2'!'"''0.07'
MLAT'/'Domains'Hosted'
AS#1'!'"''2.17'
AS#2'!'"''0.05'
Security metrics for hosting providers
Practical application
•  Incentive structures that drive the DNS
ecosystem
•  “Clean Netherlands”: Enhance self cleansing
ability of the Dutch hosting market by
•  promoting best practices and awareness
•  pressuring the rotten apples
Summary
•  REMEDI3S-TLD
•  Security metrics for TLDs
•  Security metrics for hosting providers
•  Practical application
ACKNOWLEDGEMENTS
The research leading to these results
was funded by SIDN (www.sidn.nl)

More Related Content

What's hot

Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...EC-Council
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakoutSplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakoutSplunk
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Securityanandk10
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Core Security
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioInvincea, Inc.
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronisLiza Charalambous
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 

What's hot (20)

Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakoutSplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Talos
TalosTalos
Talos
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Security
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Base Metal Forensics
Base Metal ForensicsBase Metal Forensics
Base Metal Forensics
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 

Similar to Reputation Metrics to Improve TLD Security

Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Attaining data security in cloud computing
Attaining data security in cloud computingAttaining data security in cloud computing
Attaining data security in cloud computingGopinath Muthusamy
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Alert Logic
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingShantanu Sharma
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
RISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V International
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaShivamSharma909
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineerShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 

Similar to Reputation Metrics to Improve TLD Security (20)

Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Attaining data security in cloud computing
Attaining data security in cloud computingAttaining data security in cloud computing
Attaining data security in cloud computing
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data Processing
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
SIEM.pdf
SIEM.pdfSIEM.pdf
SIEM.pdf
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
RISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notes
 
Data trustworthiness at the edge
Data trustworthiness at the edgeData trustworthiness at the edge
Data trustworthiness at the edge
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 

More from Splend

Fiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXactFiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXactSplend
 
Fiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCAFiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCASplend
 
Martin Pels - NLNog ring
Martin Pels - NLNog ringMartin Pels - NLNog ring
Martin Pels - NLNog ringSplend
 
Wido den Hollander - IPv6
Wido den Hollander - IPv6Wido den Hollander - IPv6
Wido den Hollander - IPv6Splend
 
Pim van Stam - BGP
Pim van Stam - BGPPim van Stam - BGP
Pim van Stam - BGPSplend
 
Bart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/CobblerBart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/CobblerSplend
 
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele NetwerkfunctiesSplend
 
HSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU DelftHSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU DelftSplend
 
HSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnetHSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnetSplend
 
HSB15 - 0xDUDE
HSB15 - 0xDUDEHSB15 - 0xDUDE
HSB15 - 0xDUDESplend
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHSplend
 
HSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU TwenteHSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU TwenteSplend
 
HSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnectHSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnectSplend
 
HSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open SecurityHSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open SecuritySplend
 
HSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOneHSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOneSplend
 
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?Splend
 
DHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive TechnologyDHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive TechnologySplend
 
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into PuppetDHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into PuppetSplend
 
DHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP MobilityDHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP MobilitySplend
 
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC CollegeDHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC CollegeSplend
 

More from Splend (20)

Fiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXactFiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXact
 
Fiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCAFiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCA
 
Martin Pels - NLNog ring
Martin Pels - NLNog ringMartin Pels - NLNog ring
Martin Pels - NLNog ring
 
Wido den Hollander - IPv6
Wido den Hollander - IPv6Wido den Hollander - IPv6
Wido den Hollander - IPv6
 
Pim van Stam - BGP
Pim van Stam - BGPPim van Stam - BGP
Pim van Stam - BGP
 
Bart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/CobblerBart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/Cobbler
 
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
 
HSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU DelftHSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU Delft
 
HSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnetHSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnet
 
HSB15 - 0xDUDE
HSB15 - 0xDUDEHSB15 - 0xDUDE
HSB15 - 0xDUDE
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
 
HSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU TwenteHSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU Twente
 
HSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnectHSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnect
 
HSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open SecurityHSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open Security
 
HSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOneHSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOne
 
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
 
DHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive TechnologyDHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive Technology
 
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into PuppetDHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
 
DHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP MobilityDHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP Mobility
 
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC CollegeDHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
 

Recently uploaded

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

Recently uploaded (20)

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 

Reputation Metrics to Improve TLD Security

  • 1. REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczy ski Delft University of Technology Contact: maciej.korczynski@tudelft.nl DHPA Techday 21 May 2015, The Hague
  • 6. Agenda •  REMEDI3S-TLD •  Security incidents •  Types of security metrics •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application •  Summary
  • 7. Security incidents •  Blacklists •  APWG •  Shadowserver (botnet C&C, Sandbox URLs, etc.) •  ESET, Sophos, Fortinet •  Google's Safe browsing appeals •  Malware Must Die •  Phishtank •  Zeus tracker •  Dutch child pornography hotline •  Etc. •  Farsight security (dns-db)
  • 8. Types of security metrics •  Different layers of security metrics: •  Top Level Domains (TLDs) •  Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers •  Network resources managed by each of the players, such as resolvers, name servers
  • 9. Security metrics for TLDs •  Size estimate for different market players, e.g. TLDs •  Problem: access to zone files of all TLDs •  Solution: zone files, APWG reports, DNS-DB
  • 10. •  Type of reputation metrics •  Problem: estimation of the amount of badness •  Solutions (TLDs): a)  Number of unique domains b)  Number of FQDN c)  Number of URLs Security metrics for TLDs
  • 11. •  Type of reputation metrics •  Problem: up-times of maliciously registered/compromised domains •  Solutions: a)  DNS-based scanner b)  Content-based scanner Security metrics for TLDs
  • 12. Results •  Estimation of the amount of badness for TLD •  Datasets: suitability, coverage
  • 13. Results •  Estimation of the amount of badness
  • 14. Results •  Estimation of the amount of badness
  • 15. Results •  Estimation of the amount of badness
  • 16. Security metrics for hosting providers 1.  Count badness per AS across different data sources 2.  Normalize for the size of the AS (in 3 ways) Abuse&Feeds& p*DNS&/&IP& Rou3ng& •  Shadow'Server'Compromise' •  Shadow'Server'Sandbox'URL' •  Zeustracker'C&Cs' •  MLAT'requests' •  APWG' •  StopBadware' •  …' ' #"Advertised"IPs" #"IPs"in"p/DNS" #"Domains"Hosted" Abuse&Mapping& Size&Mapping& •  Farsight'Security'pHDNS'Data' •  Internet'IP'RouLng'Data' ' #"Unique"Abuse"/"AS" Abuse&Maps& PhishTank' AS#1'!'"''100'' AS#2'!'"''200' MLAT' AS#1'!'"''50' AS#2'!'"''73' Size&Maps& AdverLsed'IPs' AS#1'!'"''256' AS#2'!'"''1024' 'Domains'Hosted' AS#1'!'"''23' AS#2'!'"''1232' Normaliza3on& Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' •  #"Abuse"/"Size"
  • 17. 3.  Rank ASes on amount of badness 4.  Aggregate rankings (Borda count) 5.  Identify ASes with consistently high concentrations of badness Rank& Abuse&Ranking& PhishTank'Ranking'1' AS#1'!'"''834' AS#2'!'"''833' PhishTank'Ranking'2' AS#1'!'"''834' AS#2'!'"''833' MLAT'Ranking'1' AS#1'!'"''235' AS#2'!'"''234' MLAT'Ranking'2' AS#1'!'"''235' AS#2'!'"''234' Combine& Ranks& Sort"Rank"" High"!"Low" Borda"Count" Overall&Ranking& Borda'Count'Ranking' AS#1'!'"''2354' AS#2'!'"''1834' AS#3'!'"''1542' AS#4'!'"''1322' Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' Security metrics for hosting providers
  • 18.
  • 19.
  • 20. Practical application •  Incentive structures that drive the DNS ecosystem •  “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by •  promoting best practices and awareness •  pressuring the rotten apples
  • 21. Summary •  REMEDI3S-TLD •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application
  • 22. ACKNOWLEDGEMENTS The research leading to these results was funded by SIDN (www.sidn.nl)