Heuristic methods for efficient identification of abusive domain names

Domain names and the Domain Name System (DNS) are essential to the Internet, but unfortunately cybercriminals also make use of these to fulfil their nefarious agenda and gain illicit profit. In this work we survey known forms of domain and DNS abuse from the criminal business point of view. This is related to abusive techniques, which we also survey. Based on the theoretical understanding of the abusive techniques, we devise a set of practical heuristics for recognising said techniques. This enables a focused and efficient manual analysis of heuristically ranked domains, with the goal of identifying abusive domains. As the .dk Country Code Top-Level Domain has received little scrutiny in the past, but is believed to see only limited abuse, it represents a relevant and presumably challenging case for identifying abuse, and we therefore use it for evaluation. A sampled set of 10.000 second level domains are monitored for 66 days, heuristics are applied, and the resulting rankings guides a manual vetting. Our findings are that with automated heuristics we can limit the manual investigative effort to hours, but still identify 5 domains which was actively abused during our observation period.