Domain & Network Reputation

Topics DNSBL · NOTOS · Kopis · Passive DNS · Mobile
01 //

Motivation

Static DNSBL (blacklist) model: new IP addresses are trusted until proven guilty - increasingly ineffective. Need a dynamic, comprehensive reputation system that outputs scores for domains.

Key Intuitions
  • Legitimate vs botnet uses of domains differ; differences observable in DNS query traffic
  • Patterns of requesters, resolved IPs, and network providers matter
  • Extract temporal and statistical features → compute/learn models

Malicious Domain Characteristics

Botnets

Short-lived domains - fast-flux, quick turnover

Spyware

Anonymously registered domains

Adware

Disposable domains

Detection heuristics: number of characters, hyphens, digits in domain names.

02 //

DNSBL Levels

DNS Blacklist (DNSBL) levels categorize trust in IP addresses for spam/email.

Level Description
White Complete trust
Black No trust
Grey Known to produce both spam and non-spam
Yellow Associated with spam-like behaviors but not directly spamming
NoBL Does not send spam, not fully trustworthy
03 //

NOTOS

NOTOS dynamically assigns reputation scores to domain names using passive DNS. Monitors at recursive DNS level.

Terminology
  • RR - Resource Record (domain → IP)
  • 2LD, 3LD - Second/third level domain (e.g. example.com, www.example.com)
  • RHIPs - Related Historic IPs (all IPs historically mapped with domain)
  • RHDNs - Related Historic Domains (FQDNs linked with IP, CIDR, AS)
  • ADNT - Authoritative domain name tuple (requester, domain, RDATA)

Feature Categories

Network-Based

From RHIPs: total IPs, geo diversity, distinct ASs, etc.

Zone-Based

From RHDNs: avg domain length, TLDs, character frequency

Evidence-Based

Malware samples that contacted domain or resolved IPs

NOTOS Performance
  • Accuracy: low FP (0.38%), high TP (96.8%)
  • Predictability: detects fraudulent domains days or weeks before static blacklists
04 //

Kopis

Kopis uses passive monitoring at the upper DNS hierarchy - AuthDNS and TLD servers. Internet-wide visibility.

Kopis vs NOTOS

NOTOS: recursive DNS (RDNS). Kopis: Authoritative (TLDs, AuthNS, Root). Different vantage points.

Kopis Features

Requester Diversity (RD)

Are querying machines (RDNS) localized or globally distributed? BGP prefixes, AS, country codes.

Requester Profile (RP)

ISP/small business vs home. Higher weight for RDNS serving large client populations.

Resolved-IPs Reputation (IPR)

Historical linkage of resolved IPs to malicious or legitimate activities.

Kopis Performance

High TP (98.4%), low FP (0.3%). Identifies new malicious domains weeks before blacklists. Detected China DDoS botnet ~1 month before propagation elsewhere.

05 //

Mobile Malware Prevalence Study

How prevalent are mobile infections? Mobile malware uses similar C&C infrastructure as desktop. Approach: DNS traffic in cellular network → domains looked up by mobile apps → analyze hosts.

Key Finding

Three months from major US cellular + non-cellular ISP. Known mobile malware samples rare: 6,585 of 380M devices (0.002%). iOS vs Android equally likely to connect to suspicious domains.

06 //

Summary

Domain & Network Reputation - Takeaways
  • Static blacklists fail - new IPs trusted; need dynamic reputation
  • NOTOS - recursive DNS; network/zone/evidence features; days/weeks early detection
  • Kopis - AuthDNS/TLD; requester diversity, profile, IP reputation; Internet-wide
  • Dynamic detection - needs global DNS visibility; can detect before local infection