Skip to main content
SpringerLink
Log in

Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2021)

Abstract

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38–40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

Funded by Telenor A/S and Innovation Fund Denmark, 2021.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The elaborated definition of impact used in this paper is presented in Sect. 4.3.

  2. 2.

    https://www.ntppool.org/.

References

  1. Bermudez, I.N., Mellia, M., Munafò, M.M., Keralapura, R., Nucci, A.: DNS to the rescue: discerning content and services in a tangled web. In: IMC: Internet Measurement Conference (2012). https://doi.org/10.1145/2398776.2398819

  2. Bouwman, X., Griffioen, H., Egbers, J., Doerr, C., Klievink, B., van Eeten, M.: A different cup of TI? The added value of commercial threat intelligence. In: USENIX Security Symposium (2020). https://www.usenix.org/system/files/sec20-bouwman.pdf

  3. Cisco umbrella: better intelligence drives better security (2020). https://umbrella.cisco.com/solutions/reduce-security-infections

  4. Connery, H.: DNS: response policy zone (2012). https://dnsrpz.info/spamhaus-rpz-case-study.pdf

  5. Duffield, N., Lund, C., Thorup, M.: Properties and prediction of flow statistics from sampled packet streams. In: IMW: ACM SIGCOMM Internet Measurement Workshop (2002). https://doi.org/10.1145/637201.637225

  6. Fejrskov, M., Pedersen, J.M., Vasilomanolakis, E.: Cyber-security research by ISPs: a NetFlow and DNS anonymization policy. In: International Conference on Cyber Security And Protection Of Digital Services (2020). https://doi.org/10.1109/CyberSecurity49315.2020.9138869

  7. Foremski, P., Callegari, C., Pagano, M.: DNS-class: immediate classification of IP flows using DNS. In: ACM Int. J. Netw. Manage. (2014). https://doi.org/10.1002/nem.1864

  8. Griffioen, H., Booij, T., Doerr, C.: Quality Evaluation of Cyber Threat Intelligence Feeds. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12147, pp. 277–296. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_14

  9. Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: IMC: Internet Measurement Conference (2004). https://doi.org/10.1145/1028788.1028838

  10. Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: RAID: Research in Attacks Intrusions and Defenses (2014). https://doi.org/10.1007/978-3-319-11379-1_1

  11. Li, V.G., Dunn, M., Pearce, P., McCoy, D., Voelker, G.M., Savage, S., Levchenko, K.: Reading the tea leaves: a comparative analysis of threat intelligence. In: USENIX Security Symposium (2019). https://www.usenix.org/system/files/sec19-li-vector_guo.pdf

  12. MXToolbox: blacklist check (2021). https://mxtoolbox.com/blacklists.aspx

  13. Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: ACM SIGCOMM Computer Communication Review (2006). https://doi.org/10.1145/1159913.1159947

  14. Satoh, A., Nakamura, Y., Fukuda, Y., Sasai, K., Kitagata, G.: A cause-based classification approach for malicious DNS queries detected through blacklists. IEEE Access (2019). https://doi.org/10.1109/ACCESS.2019.2944203

  15. Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists. In: CEAS: Conference on Email and Anti-Spam (2009). https://doi.org/10.1184/R1/6469805.V1

  16. Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: On the effectiveness of reputation-based "blacklists". MALWARE: International Conference on Malicious and Unwanted Software (2008), https://doi.org/10.1109/MALWARE.2008.4690858

  17. Spacek, S., Lastovicka, M., Horak, M., Plesnik, T.: Current Issues of Malicious Domains Blocking. IFIP/IEEE International Symposium on Integrated Network Management (2019), https://ieeexplore.ieee.org/document/8717891

  18. Telenor Norway: Stanset over 80.000 besøk på falske nettsider på én måned (2020), https://www.mynewsdesk.com/no/telenor/pressreleases/stanset-over-80-dot-000-besoek-paa-falske-nettsider-paa-en-maaned-2986773

  19. Wikipedia: Domain Name System-based Blackhole List (2020), https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List

  20. Wilde, N., Jones, L., Lopez, R., Vaughn, T.: A DNS RPZ Firewall and Current American DNS Practice. In: Kim, K.J., Baek, N. (eds.) ICISA 2018. LNEE, vol. 514, pp. 259–265. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1056-0_27

  21. Williamson, R.: What do Canada and New Zealand have in common? (2020), https://internetnz.nz/blog/dns-firewall-what-do-canada-and-new-zealand-have-in-common/

  22. Zhang, J., Chivukula, A., Bailey, M., Karir, M., Liu, M.: Characterization of Blacklists and Tainted Network Traffic. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 218–228. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36516-4_22

    Chapter  Google Scholar 

  23. Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Computing Surveys (2018), https://doi.org/10.1145/3191329

Download references

Author information

Authors and Affiliations

  1. Telenor A/S, Aalborg, Denmark

    Martin Fejrskov

  2. Cyber Security Group, Aalborg University, Copenhagen, Denmark

    Jens Myrup Pedersen & Emmanouil Vasilomanolakis

Authors
  1. Martin Fejrskov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jens Myrup Pedersen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emmanouil Vasilomanolakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Fejrskov .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. University of Kent Canterbury, Canterbury, Kent, UK

    Shujun Li

  3. University of Washington, Seattle, WA, USA

    Radha Poovendran

  4. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    Hervé Debar

  5. Google Inc., New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fejrskov, M., Pedersen, J.M., Vasilomanolakis, E. (2021). Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds) Security and Privacy in Communication Networks. SecureComm 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 398. Springer, Cham. https://doi.org/10.1007/978-3-030-90019-9_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90019-9_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90018-2

  • Online ISBN: 978-3-030-90019-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation