Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Do you block "new" domain names? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Do you block "new" domain names?

This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3604 Posts
ISC Handler
Cisco Ironport S-Series here does this (sometimes?). Not always to our pleasure ;-)
Jens

42 Posts
Yup. Default policy on our web filtering system. All unknown domains registered in the last 14 days. It does require us to manually unblock new legitimate sites being set up by marketing, but frequently catches the embedded URLs of the SPAM campaign du jour. Attackers will no doubt adapt accordingly, but for now it is a useful tactic.
Jens
1 Posts
How bout turning on "UNCAT" blocking in your Proxy ?
Jens
2 Posts
I wonder if this can be done on the Barracuda 410 Web Filters. Great idea. Wish I had thought of this.
Lee

13 Posts
How are you achieving this?
Since automated WHOIS queries are verboten, according to the terms of use, and a number of ccTLDs don't provide any obvious way to lookup this information... where are there bulk data sources available for domain registration dates?
Mysid

146 Posts
We block all "none" sites through the Blue Coat proxy with a splash page that gives a link for the end-user to submit the site for categorization.
Mysid
1 Posts
We use OpenDNS and it kind of does this. It looks to see if a new domain is hosted at known bad IP addresses, data centers, or AS numbers (among other things). So this is not a 100% block of new domains, but effectively similar.

Other then a service like this or a rule on an existing web filter, I can't figure out how to do this in an automated way.
Anonymous
Websense does this now with there Potentially Damaging Content category.

But according to there recent Technical Alert:

In the 1st quarter of 2014, Websense Labs plans to update the current Web Category list.
New security categories, introduced in this release, will enable organizations to protect their users from
- Newly Registered Websites
- Compromised Websites
Anonymous
how would you get domain age?

we (farsight security, formerly isc security) are about to create a "new domain channel" on SIE, with corresponding RPZ and DNSBL reputation zones, and a "whois" interface (rate limited but otherwise free) and a REST/JSON API. but we have a very complete passive dns database going back several years, and we see 900GBytes+ per day of DNS "cache miss" traffic. when we think a domain is "new", it probably is new.

without that corpus and flow, "domain age" would be by ZFA deltas from TLD operators, or by whois... or by what else exactly?
Anonymous
We use Websense as a filter. We then allow most categories, and block those inappropriate for work (Legal, HR, etc. reasons).

Any Websense "Misc: Uncategorized" websites are blocked (which would block any on-the-fly newly registered sites). Users can request our Help Desk team review any website and then our Help Desk team submits it to Websense Support for further review. Once Websense Support reviews the site and categorizes it, then our system automatically gets the category update within 24 hours.

Additionally, all abnormal ccTLDs are "greylisted" to warn users and require an override click.
Anonymous
SpamStopsHere, Greenview Data's anti-spam product, has done this for about 5 years now. They use an internal database and do have access to many TLD root zone files. It's a poilcy filter though, and not a spam filter, and it's disabled by default. It can cause problems, because many organizations will register new domains and discuss them internally in e-mail, or make typos on existing domain names. This should be used to graylist only.

To catch "new domains", GreenView Data uses their Spam Hunter. It crawls new domain names in the TLD root zone files to see if they use nameservers associated with spammers. If they are, then they're added to the URBL. This typically adds tens of thousands of new domain names registered by spammers to the URBL before they ever appear in a spam message. They've been doing this for over 10 years. They abandoned their patents if you want to do the same thing, but I am a big proponent of outsourcing, and would just recommend signing up with them. GreenView Data probably has the biggest and most accurate URBL in the industry, proprietary or not.

http://patents.justia.com/patent/20070143469
@bitSecure

1 Posts
This might be a good feature to add to stopforumspam
@bitSecure
1 Posts
In reference to those pointing out web filter systems. This might also be part of the "unknown" category in your favorite proxy filter. Blocking that may cater to this as well.
@bitSecure
2 Posts
+1 for OpenDNS... they're REALLY getting into the big data analysis of domain patterns... domain reputation in the context of life, recent changes, newness, etc... play into their dynamic response to a query to raise the level of protection for their customers
justageek

7 Posts

Sign Up for Free or Log In to start participating in the conversation!