Cyber Security Webinar by Martin Fejrskov MSc - Using NetFlow to measure the impact of deploying DNS-based blacklists

Join Zoom Meeting

https://tudelft.zoom.us/j/95465881342

Meeting ID: 954 6588 1342

Passcode: 808322 

Abstract 

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40\% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6\% are considered malicious.

Short bio:

Martin Fejrskov is an Industrial Ph.D. student at Telenor Denmark and Aalborg University focusing on detecting cybersecurity threats with data from Internet Service Providers. Prior to the Ph.D. studies, he was a Solution Architect at Telenor Denmark, focusing on security services and the national backbone network. Before that he was a Product Manager at the Danish company formerly known as ETI A/S, heading the development and architecture of one of the core products. He received his Master of Science from Aalborg University in 2005 with excellent grades, studying primarily within the fields of network protocols, traffic analysis and security.