Ever since domain names entered the mainstream, there have been people who abused them. Common abuses include phishing, spreading viruses and sending spam. The sooner after registration the domain names involved can be identified, the better.
So SIDN Labs has been working on the development of nDEWS: a DNS infrastructure monitoring system for the early detection of abusive domain names.
What's is the DNS infrastructure?
As the registry for .nl, SIDN manages the DNS infrastructure for the .nl zone. So, whenever anyone wants to reach a .nl domain, it has to be looked up on one of our .nl name servers. The server tells the user's device how to reach the domain. Every day, our systems process more than 1.4 billion look-up queries from users all over the world. Many of the queries – about 400 million of them a day – are added to ENTRADA, the data analysis platform that SIDN Labs has developed.
What is nDEWS?
nDEWS stands for 'new Domains Early Warning System'. It's an automated monitoring system developed by SIDN Labs, our research and development team. nDEWS can detect domain names with a high-risk profile shortly after registration. Suspect names are recognised by looking at the registration data in combination with patterns picked up in the DNS traffic.
How does nDEWS work?
It's been known for a while that domain names used for phishing are associated with abnormal DNS query patterns in the period immediately after registration. A 'normal' domain name generates a gradually increasing number of queries, but the registration of an abusive domain is often quickly followed by a sharp traffic peak. That's because criminals generally have a short time window before their phishing, spamming or malware activities are spotted and their sites taken down. The following diagram shows how a normal traffic pattern compares with a suspect one. The purple line is what we usually see after the registration of an innocent domain name, while the blue one is typical of a domain name that's being abused for phishing. nDEWS combines the traffic patterns with other pointers, such as the number of unique IP addresses the queries come from and the numbers of different countries and networks involved. Analysis of those pointers has revealed clear differences between normal domains and suspicious domains. The picture built up during our research period is illustrated below.
What makes nDEWS different from other monitoring systems?
Blacklists and feeds listing suspicious domain names have been around for a while, of course. Many readers will be familiar with Netcraft's service, for example. However, nDEWS is capable of recognising more abusive domain names than conventional services. That's because nDEWS analyses all new registrations in real time (excluding reactivations of quarantined domain names). It doesn't simply respond to reports of abuse. nDEWS also works much faster. Monitoring of traffic patterns and attributes starts shortly after a domain name is registered with SIDN, and the tell-tale signs are soon apparent. nDEWS is therefore a very useful adjunct to existing blacklists and abuse feeds.
What next?
We are currently running a pilot, which involves providing two .nl registrars with notifications about suspect domain names registered through them. The registrars check out the domains in question to see whether abuse is actually taking place. If it is, they can deactivate the domain names before criminal activity begins. Using feedback from the pilot, we'll consider the best way to use nDEWS and what refinements we need to make. We also plan to integrate more identifying attributes into the system. By taking account of things such as IP reputation, site analysis and registration data, the aim is to get even better results and minimise the number of false positives.
More information?
The full research report is available to read.
For more information about nDEWS or preventing domain name abuse, please contact Pim Pastoors.
