[dsc] Detecting Random Subdomain Attacks with DSC
Klaus Darilion
klaus.darilion at nic.at
Mon Jul 13 08:56:20 UTC 2020
Hello all!
I want to automatically detect random subdomain attacks and wonder if DSC could be an help (out of the box or with small modifications).
AFAIK DSC currently does not now where the "zone" is. In most cases it is just the 2nd label, (foobar.com) but also may be on the 3rd level (foobar.co.uk). I think such list of 3rd level TLD can be added to the config.
Then keeping track of 3rd label queries, ie:
www.foobar.com,10000
foobar.com,2000
mail.foobar.com,1000
and keeping track of 2nd label queries:
foobar.com,20000
Soo, if there is a big difference between the sum of 3rd label queries and the 2nd label queres, this might inidcate a random subdomain attack. The caclucation can be done out of band, just using the DSC aggregations as data source.
Do you think that may be feasible, or do you have better ideas?
Thanks
Klaus
More information about the dsc
mailing list