remedi3s-tld: reputation metrics design to improve ... · design to improve intermediary incentives...
TRANSCRIPT
REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs
A project in collaboration with SIDN and NCSC
Maciej Korczyński Delft University of Technology Contact: [email protected] ICANN 54 Techday 19 October 2015, Dublin
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
Agenda
• Types of security metrics
• Security metrics for TLDs
• Security metrics for hosting providers
• Discussion
Types of security metrics
• Different layers of security metrics:
• Top Level Domains (TLDs)
• Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers
• Network resources managed by each of the players, such as resolvers, name servers
Security metrics for TLDs
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
• Size matters!
• Type of reputation metrics (example)
Security metrics for TLDs
• Type of reputation metrics
• Up-times of maliciously registered/compromised domains
Security metrics for TLDs
Security metrics for hosting providers
Security metrics for hosting providers
1. Count badness per AS across different data sources
2. Normalize for the size of the AS (in 3 ways)
Abuse Feeds
p-‐DNS / IP Rou3ng
• Shadow Server Compromise • Shadow Server Sandbox URL • Zeustracker C&Cs • MLAT requests • APWG • StopBadware • …
# Advertised IPs # IPs in p-‐DNS # Domains Hosted
Abuse Mapping
Size Mapping
• Farsight Security p-‐DNS Data • Internet IP RouLng Data
# Unique Abuse / AS
Abuse Maps PhishTank AS#1 ß à 100 AS#2 ß à 200
MLAT AS#1 ß à 50 AS#2 ß à 73
Size Maps AdverLsed IPs AS#1 ß à 256 AS#2 ß à 1024
Domains Hosted AS#1 ß à 23 AS#2 ß à 1232
Normaliza3on
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
• # Abuse / Size
3. Rank ASes on amount of badness
4. Aggregate rankings
5. Identify ASes with consistently high concentrations of badness
Rank
Abuse Ranking
PhishTank Ranking 1 AS#1 ß à 834 AS#2 ß à 833
PhishTank Ranking 2 AS#1 ß à 834 AS#2 ß à 833
MLAT Ranking 1 AS#1 ß à 235 AS#2 ß à 234
MLAT Ranking 2 AS#1 ß à 235 AS#2 ß à 234
Combine Ranks
Sort Rank High à Low Borda Count
Overall Ranking Borda Count Ranking AS#1 ß à 2354 AS#2 ß à 1834 AS#3 ß à 1542 AS#4 ß à 1322
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
Security metrics for hosting providers
Practical application
• “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by
• promoting best practices and awareness
• pressuring the rotten apples
Discussion
• Compare your TLD against the market
• Driving factors (why the attackers are more interested in certain types of domains?)
• Let us know about policy changes, pricing
Discussion
• Limitations: metrics for smaller TLDs are more sensitive to individual security incidents
• Abuse handling initiatives
Discussion
• Limited access to:
• Domain WHOIS (classifier between maliciously registered and legitimate domains, metrics for registrars)
• Datasets, e.g. shadow server reports
• Feedback
ACKNOWLEDGEMENTS
The research leading to these results was funded by SIDN (www.sidn.nl) Many thanks to: Cristian Hesselman (SIDN Labs), Paul Vixie (Farsight Security), and Thorsten Kraft (Cyscon)
Contact information: Maciej Korczyński Delft University of Technology [email protected]
• Type of reputation metrics
Security metrics for TLDs