Using NetFlow to measure the impact of deploying DNS-based blacklists

Martin Fejrskov Andersen; Jens Myrup Pedersen; Emmanouil Vasilomanolakis

doi:10.1007/978-3-030-90019-9_24

Using NetFlow to measure the impact of deploying DNS-based blacklists

Martin Fejrskov Andersen^*, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

^*Corresponding author for this work

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

2 Citations (Scopus)

80 Downloads (Pure)

Abstract

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

Original language	English
Title of host publication	Security and Privacy in Communication Networks : 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I
Editors	Joaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, Moti Yung
Number of pages	21
Volume	1
Place of Publication	Springer, Cham
Publisher	Springer
Publication date	3 Nov 2021
Pages	476-496
ISBN (Print)	978-3-030-90018-2
ISBN (Electronic)	978-3-030-90019-9
DOIs	https://doi.org/10.1007/978-3-030-90019-9_24
Publication status	Published - 3 Nov 2021
Event	International Conference, SecureComm 2021 - Virtual Event Duration: 6 Sept 2021 → 9 Sept 2021 Conference number: 17th

Conference

Conference	International Conference, SecureComm 2021
Number	17th
Location	Virtual Event
Period	06/09/2021 → 09/09/2021

Series	Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
Volume	398
ISSN	1867-8211

Keywords

Blacklist
DNS
ISP
Ipfix
Netflow
RBL
Threat intelligence

Access to Document

10.1007/978-3-030-90019-9_24

Blacklist_impact (13)Accepted author manuscript, 1.14 MB

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

Andersen, M. F., Pedersen, J. M., & Vasilomanolakis, E. (2021). Using NetFlow to measure the impact of deploying DNS-based blacklists. In J. Garcia-Alfaro, S. Li, R. Poovendran, H. Debar, & M. Yung (Eds.), Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I (Vol. 1, pp. 476-496). Springer. https://doi.org/10.1007/978-3-030-90019-9_24

Andersen, Martin Fejrskov ; Pedersen, Jens Myrup ; Vasilomanolakis, Emmanouil. / Using NetFlow to measure the impact of deploying DNS-based blacklists. Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I. editor / Joaquin Garcia-Alfaro ; Shujun Li ; Radha Poovendran ; Hervé Debar ; Moti Yung. Vol. 1 Springer, Cham : Springer, 2021. pp. 476-496 (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Vol. 398).

@inproceedings{fc15c65962b0436d98e172b9f6da44fb,

title = "Using NetFlow to measure the impact of deploying DNS-based blacklists",

abstract = "To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious. ",

keywords = "Blacklist, DNS, ISP, Ipfix, Netflow, RBL, Threat intelligence",

author = "Andersen, {Martin Fejrskov} and Pedersen, {Jens Myrup} and Emmanouil Vasilomanolakis",

year = "2021",

month = nov,

day = "3",

doi = "10.1007/978-3-030-90019-9_24",

language = "English",

isbn = "978-3-030-90018-2",

volume = "1",

series = "Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering",

publisher = "Springer",

pages = "476--496",

editor = "Joaquin Garcia-Alfaro and Shujun Li and Radha Poovendran and Herv{\'e} Debar and Moti Yung",

booktitle = "Security and Privacy in Communication Networks",

address = "Germany",

note = "International Conference, SecureComm 2021 ; Conference date: 06-09-2021 Through 09-09-2021",

}

Andersen, MF, Pedersen, JM & Vasilomanolakis, E 2021, Using NetFlow to measure the impact of deploying DNS-based blacklists. in J Garcia-Alfaro, S Li, R Poovendran, H Debar & M Yung (eds), Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I. vol. 1, Springer, Springer, Cham, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 398, pp. 476-496, International Conference, SecureComm 2021, 06/09/2021. https://doi.org/10.1007/978-3-030-90019-9_24

Using NetFlow to measure the impact of deploying DNS-based blacklists. / Andersen, Martin Fejrskov; Pedersen, Jens Myrup; Vasilomanolakis, Emmanouil.
Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I. ed. / Joaquin Garcia-Alfaro; Shujun Li; Radha Poovendran; Hervé Debar; Moti Yung. Vol. 1 Springer, Cham: Springer, 2021. p. 476-496 (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Vol. 398).

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - Using NetFlow to measure the impact of deploying DNS-based blacklists

AU - Andersen, Martin Fejrskov

AU - Pedersen, Jens Myrup

AU - Vasilomanolakis, Emmanouil

N1 - Conference code: 17th

PY - 2021/11/3

Y1 - 2021/11/3

N2 - To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

AB - To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

KW - Blacklist

KW - DNS

KW - ISP

KW - Ipfix

KW - Netflow

KW - RBL

KW - Threat intelligence

UR - http://www.scopus.com/inward/record.url?scp=85120063144&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-90019-9_24

DO - 10.1007/978-3-030-90019-9_24

M3 - Article in proceeding

SN - 978-3-030-90018-2

VL - 1

T3 - Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

SP - 476

EP - 496

BT - Security and Privacy in Communication Networks

A2 - Garcia-Alfaro, Joaquin

A2 - Li, Shujun

A2 - Poovendran, Radha

A2 - Debar, Hervé

A2 - Yung, Moti

PB - Springer

CY - Springer, Cham

T2 - International Conference, SecureComm 2021

Y2 - 6 September 2021 through 9 September 2021

ER -

Andersen MF, Pedersen JM, Vasilomanolakis E. Using NetFlow to measure the impact of deploying DNS-based blacklists. In Garcia-Alfaro J, Li S, Poovendran R, Debar H, Yung M, editors, Security and Privacy in Communication Networks: 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I. Vol. 1. Springer, Cham: Springer. 2021. p. 476-496. (Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Vol. 398). doi: 10.1007/978-3-030-90019-9_24

Using NetFlow to measure the impact of deploying DNS-based blacklists

Abstract

Conference

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Cite this