Abstract | ||
---|---|---|
To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious. |
Year | DOI | Venue |
---|---|---|
2021 | 10.1007/978-3-030-90019-9_24 | SECURITY AND PRIVACY IN COMMUNICATION NETWORKS, SECURECOMM 2021, PT I |
Keywords | DocType | Volume |
Blacklist, DNS, Netflow, Ipfix, ISP, RBL, Threat intelligence | Conference | 398 |
ISSN | Citations | PageRank |
1867-8211 | 0 | 0.34 |
References | Authors | |
0 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Martin Fejrskov | 1 | 0 | 0.34 |
Jens Myrup Pedersen | 2 | 119 | 24.54 |
Emmanouil Vasilomanolakis | 3 | 109 | 15.20 |