Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DarkDNS: Revisiting the Value of Rapid Zone Update (2405.12010v4)

Published 20 May 2024 in cs.NI

Abstract: Malicious actors exploit the DNS namespace to launch spam campaigns, phishing attacks, malware, and other harmful activities. Combating these threats requires visibility into domain existence, ownership and nameservice activity that the DNS protocol does not itself provide. To facilitate visibility and security-related study of the expanding gTLD namespace, ICANN introduced the Centralized Zone Data Service (CZDS) that shares daily zone file snapshots of new gTLD zones. However, a remarkably high concentration of malicious activity is associated with domains that do not live long enough make it into these daily snapshots. Using public and private sources of newly observed domains, we discover that even with the best available data there is a considerable visibility gap in detecting short-lived domains. We find that the daily snapshots miss at least 1% of newly registered and short-lived domains, which are frequently registered with likely malicious intent. In reducing this critical visibility gap using public sources of data, we demonstrate how more timely access to TLD zone changes can provide valuable data to better prevent abuse. We hope that this work sparks a discussion in the community on how to effectively and safely revive the concept of sharing Rapid Zone Updates for security research. Finally, we release a public live feed of newly registered domains, with the aim of enabling further research in abuse identification.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. 2023. Phishing Landscape 2023: A Study of the Scope and Distribution of Phishing. https://www.cybercrimeinfocenter.org/phishing-landscape-2023.
  2. 2024. Cybercrime-tracker. (2024). https://cybercrime-tracker.net/.
  3. 2024. DigitalSide Threat-Intel Repository. (2024). https://osint.digitalside.it/.
  4. 2024. Domain Blocklist (DBL). (2024). https://www.spamhaus.org/blocklists/domain-blocklist/.
  5. 2024. Openphish. (2024). https://openphish.com/.
  6. 2024. Oracle. DynDNS.org Malware Feeds. (2024). http://security-research.dyndns.org/pub/malware-feeds/.
  7. 2024a. Phishingarmy. (2024). https://phishing.army/.
  8. 2024b. PhishTank. (2024). https://phishtank.org/.
  9. 2024. QuidsUp - NoTrack - Block List. (2024). https://quidsup.net/notrack/blocklist.php.
  10. 2024. Tolouse. (2024). https://dsi.ut-capitole.fr/blacklists/.
  11. 2024. Vxvault. (2024). http://vxvault.net/ViriList.php.
  12. Akamai. 2024. Flagging 13 Million Malicious Domains in 1 Month with Newly Observed Domains. (2024). www.akamai.com/blog/security-research/newly-observed-domains-discovered-13-million-malicious-domains.
  13. Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations. In ACM Internet Measurement Conference (IMC). https://doi.org/10.1145/3419394.3423623
  14. Risky BIZness: Risks Derived from Registrar Name Management. In ACM Internet Measurement Conference (IMC). https://doi.org/10.1145/3487552.3487816
  15. Antonia Affinito and Raffaele Sommese and Gautam Akiwate and Stefan Savage and Kimberly Claffy and Geoffrey M. Voelker and Alessio Botta and Mattijs Jonker. 2022. Domain Name Lifetimes: Baseline and Threats. In Traffic and Measurement Analysis.
  16. Now You See It, Now You Don’t: A Large-scale Analysis of Early Domain Deletions. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019).
  17. Helping hands: Measuring the impact of a large threat intelligence sharing community. In 31st USENIX Security Symposium (USENIX Security 22).
  18. Calidog. 2024. CertStream. (2024). https://certstream.calidog.io/.
  19. Zhanhao Chen and Jun Javier Wang. 2022. Newly Registered Domains: Malicious Abuse by Bad Actors. (2022). unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/.
  20. Dave Piscatello and Colin Strutt. 2023. Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. Technical Report. Interisle.
  21. Domain Tools. 2024. Security Information Exchange Newly Observed Domains. (2024). https://www.domaintools.com/resources/user-guides/newly-observed-domains-nod/.
  22. CA/Browser Forum. 2024. Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates - Version 2.0.2. (2024). https://cabforum.org/uploads/CA-Browser-Forum-TLS-BRs-v2.0.2.pdf.
  23. I Foster and R Koga. 2024. DZDB. https://catalog.caida.org/dataset/dzdb. (2024).
  24. Understanding the domain registration behavior of spammers. In Proceedings of the 2013 Conference on Internet Measurement Conference. https://doi.org/10.1145/2504730.2504753
  25. ICANN. 2007. VeriSign Application for Registry Service: “Rapid Zone Updates”. (2007). https://www.icann.org/en/system/files/files/memo-dns-update-service.pdf.
  26. ICANN. 2023. Registration Data Request Service (RDRS). (2023). https://www.icann.org/en/blogs/details/icann-launches-rdrs-releases-first-metrics-report-17-01-2024-en.
  27. Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. https://doi.org/10.1145/3196494.3196548
  28. Certificate Transparency. RFC 6962. IETF. http://tools.ietf.org/rfc/rfc6962.txt
  29. Stale TLS Certificates: Investigating Precarious Third-Party Access to Valid TLS Keys. In Proceedings of the 2023 ACM on Internet Measurement Conference. https://doi.org/10.1145/3618257.3624802
  30. A. Newton and S. Hollenbeck. 2015. Registration Data Access Protocol (RDAP) Query Format. RFC 7482. IETF. http://tools.ietf.org/rfc/rfc7482.txt
  31. PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists. In 29th USENIX Security Symposium.
  32. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In 29th USENIX Security Symposium).
  33. Pawel Foremski and Paul Vixie. 2018. The Modality of Mortality in Domain Names. (2018). https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Vixie.pdf.
  34. Security and Stability Advisory Committee. 2024. SSAC Report on Registrar Nameserver Management. Technical Report. ICANN. https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-125-09-05-2024-en.pdf.
  35. This Is a Local Domain: On Amassing Country-Code Top-Level Domains from Public Data. (2023). arXiv:cs.NI/2309.01441

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

HackerNews

  1. DarkDNS: Revisiting the Value of Rapid Zone Update (1 point, 1 comment)