Sinkholing bad network domains by registering the bad network domains on the internet
First Claim
1. A system for sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
- a processor configured to;
generate one or more signatures for a plurality of bad network domains;
distribute the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing;
select a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware;
register the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and
identify a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for sinkholing bad network domains by registering the bad network domains on the Internet are provided. In some embodiments, sinkholing bad network domains by registering the bad network domains on the Internet includes determining a network domain is a bad network domain, in which the bad network domain is determined to be associated with an identified malware (e.g., malware that has been identified and has been determined to be associated with the bad domain), and the bad network domain is sinkholed by registering the bad network domain with a sinkholed IP address; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the sinkholed IP address.
142 Citations
21 Claims
-
1. A system for sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
-
a processor configured to; generate one or more signatures for a plurality of bad network domains; distribute the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing; select a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware; register the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and identify a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
-
generating one or more signatures for a plurality of bad network domains; distributing the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing; selecting a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware; registering the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address. - View Dependent Claims (9, 10, 11, 12, 18, 19)
-
-
13. A computer program product for sinkholing bad network domains by registering the bad network domains on the Internet, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
generating one or more signatures for a plurality of bad network domains; distributing the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing; selecting a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware; registering the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address. - View Dependent Claims (14, 15, 16, 17, 20, 21)
-
Specification