Sweeping the IP space: the hunt for evil on the Internet

Wednesday 24 September 16:00 - 16:30, Red room.

Dhia Mahjoub OpenDNS

   This paper is available online (HTML, PDF).

  download slides (PDF)

The IP space has 4 billion addresses, the AS space 46,000+ AS numbers, and the BGP prefix space 520,000+ prefixes. Together, they form the foundation of addressing, routing and hosting on the Internet.

Most current reputation systems used for network-level threat detection derive scores for IPs, BGP prefixes or ASNs based on hosted content.

In this talk, we take a novel approach by exploring the AS graph which models the interconnections between ASNs. We uncover hotspots of maliciousness by analysing AS graph topology, hosted content and IP space reservation; and shed some light on suspicious relationships between ASNs and abusive IP sub-allocations.

This exploration methodology enriches classical scoring mechanisms that are based on the counting of malicious domains/IPs hosted on ASNs.

This method also provides actionable intelligence and can be used to pre-emptively detect and block malicious IP infrastructures before or immediately after they are set up for waging malware campaigns.

We will go over multiple relevant use cases of attack domains detected by this system, such as trojan C&Cs, exploit kit domains, malware domains, etc.

Click here for more details about the conference.

Dhia Mahjoub

Dhia Mahjoub

Senior Security Researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis and networks. He focuses on building fast predictive threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia holds a Ph.D. in computer science from Southern Methodist University, Dallas with a specialty in graph theory applied on wireless sensor networks. He has a background in computer networks and enjoyed writing sniffers and port scanners. Dhia has presented his research at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI 13, SOURCE Boston and BSides NOLA. He is also member of the non-profit security research group MalwareMustDie, helping track botnets and other malicious sources on the Internet.