Frontrunning the Frontrunners

DEF CON 24

Presented by: Paul Vixie
Date: Friday August 05, 2016
Time: 12:30 - 12:55
Location: Track One

While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains).

Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.

Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A.

Paul Vixie

Dr. Paul Vixie is the CEO and Co-founder of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014. Twitter: @paulvixie


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats