The second publication for the TIDE project. It has received the Best Paper Award at NOMS 2018. Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF).
DDoS attacks threaten Internet security and stability, with attacks reaching the Tbps range. A popular approach involves DNS-based reflection and amplification, a type of attack in which a domain name, known to return a large answer, is queried using spoofed requests. Do the chosen names offer the largest amplification, however, or have we yet to see the full amplification potential? And while operational countermeasures are proposed, chiefly limiting responses to ‘ANY’ queries, up to what point will these countermeasures be effective?
The DNS TXT resource record is the one that without doubt provide users with the most flexibility of content, as it is a largely unstructured. Although it might be the ideal basis for storing any form of text-based information, it also poses a security threat, as TXT records can also be used for malicious and unintended practices. Yet, we reckon that TXT records are often overlooked in security research. In this paper, we present the first structured study of the uses of TXT records, with a specific focus on security implications.
The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content.
The fourth publication for the TIDE project. The FIRST talk (see here) has been extended into a journal paper for Digital Threats: Research and Practice (DTRAP). In this paper we argue that we, as a security community, should move towards proactive security. However, we shed light on both sides of the coin. We think the ‘optimal’ way is to combine the reactive and proactive methods, to make use of the best of both worlds.