From klaus.darilion at nic.at Mon Jul 13 08:56:20 2020 From: klaus.darilion at nic.at (Klaus Darilion) Date: Mon, 13 Jul 2020 10:56:20 +0200 Subject: [dsc] Detecting Random Subdomain Attacks with DSC Message-ID: <3E18C1A0C550C44DA156DA5DA8ECCC6AB6236FB4@NICS-EXCH2.sbg.nic.at> Hello all! I want to automatically detect random subdomain attacks and wonder if DSC could be an help (out of the box or with small modifications). AFAIK DSC currently does not now where the "zone" is. In most cases it is just the 2nd label, (foobar.com) but also may be on the 3rd level (foobar.co.uk). I think such list of 3rd level TLD can be added to the config. Then keeping track of 3rd label queries, ie: www.foobar.com,10000 foobar.com,2000 mail.foobar.com,1000 and keeping track of 2nd label queries: foobar.com,20000 Soo, if there is a big difference between the sum of 3rd label queries and the 2nd label queres, this might inidcate a random subdomain attack. The caclucation can be done out of band, just using the DSC aggregations as data source. Do you think that may be feasible, or do you have better ideas? Thanks Klaus