Spamhaus Technology adds DGA domains to RPZ

September 25, 2015 by Barry Branagh

Domain Generated Algorithm (DGA) domains allow malware to periodically create a list of tens of thousands of new DNS names for controller servers. A number of these domains could be active at any time, although typically only a couple of the domains will be actually registered and working.

Command and Control Machines

Botnets need to be delivered commands to do their owner’s bidding. The traditional way to pass commands to an infected machine is from a command and control (C&C) server. However this introduces a single point of failure, so if an infected machine has no other means of contacting its C&C server, it can cycle through the DGA created domains to try to regain contact. In essence it is a form of camouflage or obfuscation.

Bot herders are continuously coming up with a number of mechanisms to hide the location of the C&C servers, thus making the chain of command even more elusive. Spamhaus Technology Response Policy Zones (RPZ) use domain and IP reputation data from Spamhaus’ real-time threat intelligence data to protect users’ computers from connecting to harmful sites as soon as the domains are registered and before they can compromise users’ computers and harm your network.

Spamhaus adds DGA Domains to its RPZ

Last Thursday Spamhaus Technology added DGA domains to the Spamhaus Technology Botnet C&C RPZ. This resulted in the RPZ increasing in size from around 500 entries to 1.2 million.

The DGA domain data is updated twice a day. Currently it contains DGA domains for a 7-day period: the current day and three days either side. Users of the Botnet C&C RPZ should expect a change of circa 15-30% in the DGA data every 24 hours. Given the nature of the DGA domains’ dataset customers should expect some churn as each new days’ worth of data is added and the earliest day’s worth of data is removed.

Whilst the increase in the RPZ entries would not have caused any issues for users of the Botnet C&C RPZ, we acknowledge that customers would prefer prior warning when planned alterations result in a large change to one of the zones. This has been noted and going forward we aim to now announce such changes at least 48 hours prior to initiating them. We apologise for any concerns and appreciate our customers’ feedback.

December 5, 2018

Getting your Spamhaus data feeds via Rsync? You may need to move to DQS

We’ve made some changes.  “Urgh!” we hear you sigh.  Few people like changes; be that a change in the user...

Read more
October 5, 2018

Protecting against hailstorm spam with “Dynamic Updates”

High-speed and high-volume: Hailstorm spam is one method cyber criminals are using to overwhelm target organizations’ defenses, but Spamhaus is...

Read more
September 17, 2018

Spamhaus Technology showcases new threat detection tool at GovWare

GovWare 2018 in Singapore will see the launch of a new detection tool developed by Deteque, a division of Spamhaus,...

Read more

Engage with us on

It’s time to protect your organization

Start my free trial