Getting Under Alexa’s Umbrella: Infiltration Attacks Against Internet Top Domain Lists
- 570 Downloads
Abstract
Top domain rankings such as Alexa are frequently used in security research. Typical uses include selecting popular websites for measurement studies, and obtaining a sample of presumably “benign” domains for model training or whitelisting purposes in security systems. Consequently, an inappropriate use of these rankings can result in unwanted biases or vulnerabilities. This paper demonstrates that it is feasible to infiltrate two domain rankings with very little effort. For a domain with no real visitors, an attacker can maintain a rank in Alexa’s top 100 k domains, for instance, with seven fake users and a total of 217 fake visits per day. To remove malicious domains, multiple research studies retained only domains that had been ranked for at least one year. We find that even those domains contain entries labelled as malicious. Our results suggest that researchers should refrain from using these domain rankings to model benign behaviour.
Notes
Acknowledgements
We thank David Choffnes and Northeastern University’s ITS for assisting the authors in obtaining permission to use the university’s IP space. We also thank Ahmet Buyukkayhan for running Google Safe Browsing experiments on our behalf. This work was funded by Secure Business Austria and the National Science Foundation under grants IIS-1553088 and CNS-1703454.
References
- 1.Alexa top 1 million download. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
- 2.Amazon Alexa top sites. https://www.alexa.com/topsites
- 3.Are there known biases in Alexa’s traffic data? https://support.alexa.com/hc/en-us/articles/200461920-Are-there-known-biases-in-Alexa-s-traffic-data-
- 4.Cisco Umbrella top 1 million. https://s3-us-west-1.amazonaws.com/umbrella-static/index.html
- 5.How are Alexa’s traffic rankings determined? https://support.alexa.com/hc/en-us/articles/200449744-How-are-Alexa-s-traffic-rankings-determined-
- 6.Umbrella investigate API documentation. https://investigate-api.readme.io/docs/top-million-domains
- 7.Alrwais, S., et al.: Under the shadow of sunshine: understanding and detecting bulletproof hosting on legitimate service provider networks. In: Security & Privacy Symposium (2017)Google Scholar
- 8.Baker, L.: Manipulating Alexa traffic ratings (2006). https://www.searchenginejournal.com/manipulating-alexa-traffic-rankings/3044/
- 9.Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
- 10.Digital Point Forums: Alexa is a scam? (2010). https://forums.digitalpoint.com/threads/alexa-is-a-scam.2016206/
- 11.Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS (2016)Google Scholar
- 12.Hao, S., et al.: Understanding the domain registration behavior of spammers. In: IMC (2013)Google Scholar
- 13.Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_15CrossRefGoogle Scholar
- 14.Hubbard, D.: Cisco umbrella 1 million (2016). https://umbrella.cisco.com/blog/2016/12/14/cisco-umbrella-1-million/
- 15.Larisch, J., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: CRLite: a scalable system for pushing all TLS revocations to all browsers. In: Security & Privacy Symposium (2017)Google Scholar
- 16.Le Pochat, V., van Goethem, T., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS (2019)Google Scholar
- 17.Lee, S., Kim, J.: WarningBird: detecting suspicious URLs in Twitter stream. In: NDSS (2011)Google Scholar
- 18.Lever, C., Kotzias, P., Balzarotti, D., Caballero, J., Antonakakis, M.: A lustrum of malware network communication: evolution and insights. In: Security & Privacy Symposium (2017)Google Scholar
- 19.Lever, C., Walls, R.J., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later. In: Security & Privacy Symposium (2016)Google Scholar
- 20.Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: CCS (2012)Google Scholar
- 21.Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Connected colors: unveiling the structure of criminal networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 390–410. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_20CrossRefGoogle Scholar
- 22.Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Augur: Internet-wide detection of connectivity disruptions. In: Security & Privacy Symposium (2017)Google Scholar
- 23.Pitsillidis, A., Kanich, C., Voelker, G.M., Levchenko, K., Savage, S.: Taster’s choice: a comparative analysis of spam feeds. In: IMC (2012)Google Scholar
- 24.Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: DSN (2015)Google Scholar
- 25.Rweyemamu, W., Lauinger, T., Wilson, C., Robertson, W., Kirda, E.: Clustering and the weekend effect: recommendations for the use of top domain lists in security research. In: Choffnes, D., Barcellos, M. (eds.) PAM 2019. LNCS, vol. 11419, pp. 161–177. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-15986-3_11CrossRefGoogle Scholar
- 26.Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of Internet top lists. In: IMC (2018)Google Scholar
- 27.SEO Chat Forums: Alexa ranking is fake? (2004). http://forums.seochat.com/alexa-ranking-49/alexa-ranking-fake-10828.html
- 28.Starov, O., Nikiforakis, N.: XHOUND: Quantifying the fingerprintability of browser extensions. In: Security & Privacy Symposium (2017)Google Scholar