From klaus.darilion at nic.at  Mon Jul 13 08:56:20 2020
From: klaus.darilion at nic.at (Klaus Darilion)
Date: Mon, 13 Jul 2020 10:56:20 +0200
Subject: [dsc] Detecting Random Subdomain Attacks with DSC
Message-ID: <3E18C1A0C550C44DA156DA5DA8ECCC6AB6236FB4@NICS-EXCH2.sbg.nic.at>

Hello all!

I want to automatically detect random subdomain attacks and wonder if DSC could be an help (out of the box or with small modifications).

AFAIK DSC currently does not now where the "zone" is. In most cases it is just the 2nd label, (foobar.com) but also may be on the 3rd level (foobar.co.uk). I think such list of 3rd level TLD can be added to the config.

Then keeping track of 3rd label queries, ie:
www.foobar.com,10000
foobar.com,2000
mail.foobar.com,1000

and keeping track of 2nd label queries:
foobar.com,20000

Soo, if there is a big difference between the sum of 3rd label queries and the 2nd label queres, this might inidcate a random subdomain attack. The caclucation can be done out of band, just using the DSC aggregations as data source.

Do you think that may be feasible, or do you have better ideas?

Thanks
Klaus