Gunter Ollmann Damballa
download slides (PDF)
The threat landscape is increasingly dynamic. Legitimate servers are being hacked and abused into hosting drive-by-download materials, botnet command-and-control portals and hosting fraud content. Meanwhile, bullet-proof hosting providers and criminal IaaS operators continue to augment their federated delivery models. Short of preemptively scanning and classifying every web page request and scanning each binary file in advance of download, how do other approaches fare in preemptively qualifying the maliciousness or criminality of Internet services?
IP reputation services have been a popular approach for first pass qualification (and filtering) of Internet threats, however, most threat categories have evolved beyond their ability to keep pace. A new generation of dynamic reputation approaches are coming to the fore - capable of providing high accuracy scoring mechanisms at both the IP address and domain name level with hourly (or better) resolution. How do these different approaches fare against increasingly dynamic threats, skilled opponents and the transition to an IPv6 framework?
This paper looks under the veneer of the various reputation approaches - examining their usefulness against today's threat landscape and evaluating their respective strengths and weaknesses.