[dsc] Detecting Random Subdomain Attacks with DSC
klaus.darilion at nic.at
Mon Jul 13 08:56:20 UTC 2020
I want to automatically detect random subdomain attacks and wonder if DSC could be an help (out of the box or with small modifications).
AFAIK DSC currently does not now where the "zone" is. In most cases it is just the 2nd label, (foobar.com) but also may be on the 3rd level (foobar.co.uk). I think such list of 3rd level TLD can be added to the config.
Then keeping track of 3rd label queries, ie:
and keeping track of 2nd label queries:
Soo, if there is a big difference between the sum of 3rd label queries and the 2nd label queres, this might inidcate a random subdomain attack. The caclucation can be done out of band, just using the DSC aggregations as data source.
Do you think that may be feasible, or do you have better ideas?
More information about the dsc