Abstract
To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38–40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.
Funded by Telenor A/S and Innovation Fund Denmark, 2021.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The elaborated definition of impact used in this paper is presented in Sect. 4.3.
- 2.
References
Bermudez, I.N., Mellia, M., Munafò, M.M., Keralapura, R., Nucci, A.: DNS to the rescue: discerning content and services in a tangled web. In: IMC: Internet Measurement Conference (2012). https://doi.org/10.1145/2398776.2398819
Bouwman, X., Griffioen, H., Egbers, J., Doerr, C., Klievink, B., van Eeten, M.: A different cup of TI? The added value of commercial threat intelligence. In: USENIX Security Symposium (2020). https://www.usenix.org/system/files/sec20-bouwman.pdf
Cisco umbrella: better intelligence drives better security (2020). https://umbrella.cisco.com/solutions/reduce-security-infections
Connery, H.: DNS: response policy zone (2012). https://dnsrpz.info/spamhaus-rpz-case-study.pdf
Duffield, N., Lund, C., Thorup, M.: Properties and prediction of flow statistics from sampled packet streams. In: IMW: ACM SIGCOMM Internet Measurement Workshop (2002). https://doi.org/10.1145/637201.637225
Fejrskov, M., Pedersen, J.M., Vasilomanolakis, E.: Cyber-security research by ISPs: a NetFlow and DNS anonymization policy. In: International Conference on Cyber Security And Protection Of Digital Services (2020). https://doi.org/10.1109/CyberSecurity49315.2020.9138869
Foremski, P., Callegari, C., Pagano, M.: DNS-class: immediate classification of IP flows using DNS. In: ACM Int. J. Netw. Manage. (2014). https://doi.org/10.1002/nem.1864
Griffioen, H., Booij, T., Doerr, C.: Quality Evaluation of Cyber Threat Intelligence Feeds. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12147, pp. 277–296. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_14
Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: IMC: Internet Measurement Conference (2004). https://doi.org/10.1145/1028788.1028838
Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: RAID: Research in Attacks Intrusions and Defenses (2014). https://doi.org/10.1007/978-3-319-11379-1_1
Li, V.G., Dunn, M., Pearce, P., McCoy, D., Voelker, G.M., Savage, S., Levchenko, K.: Reading the tea leaves: a comparative analysis of threat intelligence. In: USENIX Security Symposium (2019). https://www.usenix.org/system/files/sec19-li-vector_guo.pdf
MXToolbox: blacklist check (2021). https://mxtoolbox.com/blacklists.aspx
Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: ACM SIGCOMM Computer Communication Review (2006). https://doi.org/10.1145/1159913.1159947
Satoh, A., Nakamura, Y., Fukuda, Y., Sasai, K., Kitagata, G.: A cause-based classification approach for malicious DNS queries detected through blacklists. IEEE Access (2019). https://doi.org/10.1109/ACCESS.2019.2944203
Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists. In: CEAS: Conference on Email and Anti-Spam (2009). https://doi.org/10.1184/R1/6469805.V1
Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: On the effectiveness of reputation-based "blacklists". MALWARE: International Conference on Malicious and Unwanted Software (2008), https://doi.org/10.1109/MALWARE.2008.4690858
Spacek, S., Lastovicka, M., Horak, M., Plesnik, T.: Current Issues of Malicious Domains Blocking. IFIP/IEEE International Symposium on Integrated Network Management (2019), https://ieeexplore.ieee.org/document/8717891
Telenor Norway: Stanset over 80.000 besøk på falske nettsider på én måned (2020), https://www.mynewsdesk.com/no/telenor/pressreleases/stanset-over-80-dot-000-besoek-paa-falske-nettsider-paa-en-maaned-2986773
Wikipedia: Domain Name System-based Blackhole List (2020), https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List
Wilde, N., Jones, L., Lopez, R., Vaughn, T.: A DNS RPZ Firewall and Current American DNS Practice. In: Kim, K.J., Baek, N. (eds.) ICISA 2018. LNEE, vol. 514, pp. 259–265. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1056-0_27
Williamson, R.: What do Canada and New Zealand have in common? (2020), https://internetnz.nz/blog/dns-firewall-what-do-canada-and-new-zealand-have-in-common/
Zhang, J., Chivukula, A., Bailey, M., Karir, M., Liu, M.: Characterization of Blacklists and Tainted Network Traffic. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 218–228. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36516-4_22
Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Computing Surveys (2018), https://doi.org/10.1145/3191329
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Fejrskov, M., Pedersen, J.M., Vasilomanolakis, E. (2021). Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 398. Springer, Cham. https://doi.org/10.1007/978-3-030-90019-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-90019-9_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90018-2
Online ISBN: 978-3-030-90019-9
eBook Packages: Computer ScienceComputer Science (R0)