Survey of DNS abuse types

Along with the performance and stability of DNS services, security is one of the main research areas we work in at SIDN Labs. Our goal is to innovate and to utilize our innovations in operational services and processes. For example, we currently have a pilot running in cooperation with registrars, which is called nDEWS. nDEWS aims to detect suspicious newly registered ('zero day') domain names from the volume of queries submitted to our authoritative servers in the period immediately following registration. (If you are a registrar interested in this free service, see this website.)

There are, however, several other types of DNS-related abuse. As we explain in our paper, nDEWS focuses on just one type of abuse: newly registered domains. Spamming domains, malware distribution, command-and-control botnets, and shops selling fake goods and drugs are just a few of the other types. Each form of abuse has its own 'business model'. In other words, the various abuses rely upon different operating strategies. And each business model leaves its own unique 'traces' in the datasets that we manage as a registry (those datasets being registration data, authoritative traffic and DNS records, as shown in the figure below.)

Figure 1: TLD Operations: registration (left), domain name resolution (right), and derived datasets. Source: DISSECT 2017 paper.

Although a lot of great research on DNS abuse has already been published, most of the studies are limited insofar as they are constrained by the datasets available to the researchers, which cover a particular time frame or contain a particular type of data. Those intrinsic limitations fortunately do not apply to us, because our role as the registry for .nl means that we have access to historical and longitudinal data sets (see figure).

However, before deciding how to proceed with new security projects, we needed to understand exactly what had already been covered in the literature, and their respective business models. We therefore began by presenting an abstract at DNS and Internet Naming Research Directions 2016 – a workshop organized by the ISI/USC at Marina del Rey, California, right after the ACM IMC 2016 conference (for details, see our previous blog.)

We have since developed the abstract into a paper entitled Domain names abuse and TLDs: from monetization towards mitigation. The paper provides a concise survey of the business models currently employed by malicious actors in abusing the DNS, and how those models leave different traces in our datasets. The work is useful not only to our SIDN Labs team, who can draw on it when designing new security solutions, but also to other researchers and registries interested in developing their own solutions.

This paper has been peer-reviewed and we will present it at the 3rd IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT), which is co-located with the IFIP/IEEE International Symposium on Integrated Network Management (IM 2017). The two events take place in May 2017, in Lisbon, Portugal. We invite you to take a look at the post-print version of our paper (PDF) and welcome your feedback.

From the abstract:

Hidden behind domain names, there are lucrative (and ingenious) business models that misuse/abuse the DNS namespace and employ a diversified form of monetization. To curb some of those abuses, many research works have been proposed. However, while having a clear contribution and advancing the state-of-the-art, these works are constrained by their limited datasets and none of them present a survey on the forms of DNS abuse. In this paper, we address these limitations by presenting a case study in one top-level domain (TLD) operator .nl with diverse longitudinal datasets. We then cover eight business models that DNS abusers employ and their respective monetization form, and discuss how TLD operators can employ these datasets to detect these forms of abuse.