What makes a good "DNS Blacklist"? - Part 1

2017-08-22T18:22:12
ID AKAMAIBLOG:42EC482EF441A352F3DD2FB253CA9353
Type akamaiblog
Reporter Barry Greene
Modified 2017-08-23T18:48:28

Description

Reflections on Modern Actionable Threat Intelligence used to turn a DNS Resolver into a Critical Security Tool

Akamai has just launched the Enterprise Threat Protection (ETP) platform. ETP is built on Akamai's global AnswerX Cloud that now reaches 28 countries and is expanding to new countries every month. As a new player in Cloud DNS resolver services, competitors will ask "why Akamai?" or "what gives Akamai the knowledge and capacity to build effective DNS blacklists?" These are good questions from our competition, and are also questions that our customers should ask. Let's explore why Akamai is in a unique position to help enterprises and carriers use Akamai's Cloud Security Intelligence (CSI) as a DNS Security Policy tool.

First, remember that Akamai is now a major security company. Everything Akamai deploys for our customers has security in the forefront. For Akamai, it is not a matter of when we get attacked, probed, abused, and DOSed, it is a matter of how many attacks per hour we receive on our services. Akamai has leveraged this "constantly under attack" experience into unique solutions for all our Cloud and Enterprise Security Solutions.

Good DNS Blacklist Fig1.png

Second, because of the high volume of attacks on Akamai services, Akamai is positioned to collect security information from unique points of view. Akamai's vast planet-wide, cloud-based deployments, along with Akamai's collaborative architecture, create a unique "security surface area of threat detection". No other network has the global range, traffic depth, or Internet telemetry that Akamai does. Akamai leverages our security telemetry for all our security services.

Third, the idea of using the DNS resolution path as a security tool was pioneered by what is now the Akamai AnswerX Team (the platform upon which ETP is built). All the way back in 2006, the original AnswerX Team built a DNS resolver platform that validated DNS queries against several DNS black lists in real time. Simplicita (the team that became Xerocole and was acquired by Akamai in 2015) collected every feasible "black list" and turned that into what we now call a "DNS Firewall". That list was extensive:

2006 Reputation Data Sources compatible with AnswerX & the Reputation Knowledge System (RKS)

Reputation List

|

Provider

|

Type

|

Key

---|---|---|---

Various botnet lists

|

[private]

|

Botnet

|

IP, Domain

MAPS Feedback and DNSBL

|

trendmicro.com

|

DNSL, feedback

|

IP

Sophos spam alerts

|

sophos.com

|

Alerts

|

IP

SenderIndex, SafeList

|

habeas.com

|

Certify

|

IP

Internal: syslog, DB, network elements, app servers

|

Service provider

|

Internal reputation

|

IP, Domain

CBL

|

cbl.abuseat.org

|

DNSBL

|

IP

Bogons, badwhois, hijacked

|

completewhois.com

|

Whois Information

|

Domain

Bogons

|

cymru.org

|

Spoofing

|

IP

DSBL

|

dsbl.org

|

DNSBL

|

IP

DDOS IPs from firewall data

|

dshield.org

|

DDOS

|

IP

DUL, Zombie, HTTP, SOCKS, Misc, SMTP, Web, Spam

|

sorbs.net

|

DNSBL

|

IP

SPEWS, SPEWS2

|

spews.org

|

DNSBL

|

IP

DNS deny

|

rsa.com

|

Phishing

|

IP

Level1, Level2, Level3

|

uceprotect.net

|

DNSBL

|

IP

VIRBL

|

virbl.bit.nl

|

Virus information

|

IP

BOPM

|

blitzed.org/bopm

|

Proxy information

|

IP

Domain block list - baseline, incremental

|

jwSpamSpy.net

|

RHSBL

|

Domain

Spam domains

|

mailpolice.com

|

Spam

|

RHSBL

Phish detection and response

|

markmonitor.com

|

Phish

|

Domain

List of open DNS servers

|

public service

|

DNS Information

|

IP

The Internet Filter

|

research.turner.com

|

RHSBL

|

Domain

eFraudNetwork

|

rsa.com

|

Phish

|

IP

Tracked botnet C&C networks

|

shadowserver.com

|

Botnet

|

IP

Spamcop

|

spamcop.net

|

DNSBL

|

IP

SBL / XBL / PBL

|

spamhaus.org

|

DNSBL

|

IP

SC, WS, OB, AB, Multi

|

surbl.org

|

RHSBL

|

Domain

VDL

|

verisign.com

|

Certify

|

Domain

Cloudmark bot list

|

cloudmark.com

|

Bot

|

IP

Castle Cops

|

castlecops.com/pirt

|

RHSBL

|

Domain

Damballa

|

damballa.com

|

Botnet

|

IP, Domain

Akamai has combined AnswerX's decade of experience with Akamai's huge threat intelligence capabilities. The AnswerX team adds the experience pulling in multiple reputation knowledge feeds, building mitigation/remediation logic around those feeds, and ensuring the "DNS Firewall" meets all the customer expectations. It is only logical for Akamai to take all this experience and offer it to our customers as our new ETP service.

Akamai does not stop there. We are known for being the widgets that help others succeed. That is why Akamai offers AnswerX to our Carriers, Communications Service Providers (CSP), and other vendors looking to deploy their own version of a DNS Firewall. Akamai's AnswerX Licensed or AnswerX Cloud integrates with multiple threat feed partners. SURBL, Symantec, and Threatstop are three examples of Threat Feed Partners that Akamai has integrated into AnswerX. Now a carrier can build their own service, pulling in DNS Threat Feeds from Akamai and our partners, and tune those services to their specific customer expectations. Akamai has carrier partners in different parts of the world who use AnswerX as the "platform," pull in multiple DNS Threat Reputation feeds, customize the DNS Threat Feeds for their services. These services range from DNS based anti-phishing, to anti-malware, to botnet protection, to anti-phishing, to parental control, to WIFI/Small Business threat protection, and to many other services.

While today's reputation, threat, security, and other knowledge sources are different, what has not changed is the flexibility and experience. Akamai's ETP has the benefit of experience. We understand the threats and know that our customers need to go beyond "DNS blacklist." Akamai ETP Team took a different approach to the threat detection response. In fact, what the industry needs is a dynamic DNS Threat Policy that pulls in live threat data from across all of the Akamai's ETP and AnswerX customers while tuning to the specific threats in single Enterprise.

To understand Akamai's thinking, it is best to review factors that have effective DNS Threat Policies. We will explore these factors as a checklist of questions to ask the DNS Threat Policy providers in part 2.