Abstract
To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.
Original language | English |
---|---|
Title of host publication | Security and Privacy in Communication Networks : 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I |
Editors | Joaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, Moti Yung |
Number of pages | 21 |
Volume | 1 |
Place of Publication | Springer, Cham |
Publisher | Springer |
Publication date | 3 Nov 2021 |
Pages | 476-496 |
ISBN (Print) | 978-3-030-90018-2 |
ISBN (Electronic) | 978-3-030-90019-9 |
DOIs | |
Publication status | Published - 3 Nov 2021 |
Event | International Conference, SecureComm 2021 - Virtual Event Duration: 6 Sept 2021 → 9 Sept 2021 Conference number: 17th |
Conference
Conference | International Conference, SecureComm 2021 |
---|---|
Number | 17th |
Location | Virtual Event |
Period | 06/09/2021 → 09/09/2021 |
Series | Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering |
---|---|
Volume | 398 |
ISSN | 1867-8211 |
Keywords
- Blacklist
- DNS
- ISP
- Ipfix
- Netflow
- RBL
- Threat intelligence