29 September 2017 to 3 October 2017
Fairmont San Jose
US/Pacific timezone

What's Lurking in Core Domains

30 Sept 2017, 12:10
30m
Regency 2 Ballroom (Fairmont San Jose)

Regency 2 Ballroom

Fairmont San Jose

170 S Market Street, San Jose, 95113, CA, USA
Standard Presentation Public Workshop Public Workshop

Speaker

Mr Yuriy Yuzifovich (Nominum)

Description

A “core” domain, aka an “effective 2nd level domain” (e2LD) usually captures domain ownership (www.example1.com, www.example2.co.uk) and is thus a useful marker for analysis of DNS data. New core domains, are particularly interesting, since they’re highly correlated with malicious activity. For the past 5 years we’ve been tracking new core domains and last year undertook a project to greatly improve our infrastructure in order to study them more intensively. This presentation will discuss development of a read/write in-memory processing engine that was used on a 1 million QPS data stream collected from resolvers worldwide. This engine was designed to enable real time processing to reduce noise in the data and evaluate relevance of each query. Typical findings in the data will also be discussed: basic stats such as what percentage of queries to new core domains resolve, first level categorical distribution (benign, returns errors, suspected DGA, scanning, suspicious, confirmed malicious), how often new core domains are queried, by how many IPs, etc. Finally it will discuss methods for turning this raw data into actionable intelligence.
Talk Duration 30 Minutes

Primary author

Mr Yuriy Yuzifovich (Nominum)

Presentation materials