How to Monitor Network Traffic For Suspicious Top-Level Domains
Top-Level Domains – What are they and how to monitor traffic associated with them.
Move forward to 2015 and sure enough a few shady neighbourhoods have appeared on the Internet. Research done by Bluecoat shows that some of these Internet neighbourhoods have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content.
Blue Coat asserts that more than 95% of the sites on these 10 Top-Level Domains (TLDs) are suspect:
We recommend that you monitor Internet traffic on your network and watch out for any client connecting to these suspicious TLDs. The best way to do this is to setup a SPAN or mirror port and monitor network traffic at your Internet gateway.
Flow based tools are not a good option for monitoring Internet traffic as they cannot look inside the HTTP header to see what domains users are trying to access. The video below explains how you can setup a SPAN or mirror port to monitor Internet traffic. Most managed switches will allow you to do this.
If you don’t have a managed switch there are many alternatives for SPAN or mirror ports. You just need to pick one to match your requirements.
— More From The Author —
- Detecting XCodeGhost Activity By Monitoring HTTP Traffic
- How hiring employees increases your chance of a Ransomware Attack
- Top 5 Alternatives for SPAN or Mirror Ports
- Windows 10 is already using up your bandwidth
- Server log files do not always have the answer.
- Multiple SPAN destinations on a Cisco switch.
- Google has detected unusual traffic from your network
The image below shows an example of how Wireshark can be used to look inside HTTP headers to extract top-level domain information. Wireshark is very useful for troubleshooting issues associated with a single client. However, it may become data overload if you connect it up to a SPAN or mirror port. If you want to do this you need to look at a commercial network traffic analysis tool like LANGuardian.
Monitoring Suspicious Top-Level Domain Activity with NetFort
The following procedure describes the steps to show any activity associated with these top-level domains (TLDs). The report can be saved on your LANGuardian system as a custom report and can be re-run any time updated information is needed. Alerts and automated reports are also supported.
- Click on Reports in the LANGuardian menu bar.
- In the Web section, click on Top Website Domains, LANGuardian displays the Top Website Domains report.
- In the Website Domain Name field (Matches regexp selected) place \.link$|\.gq$|\.party$|\.work$|\.science$|\.cricket$|\.kim$|\.country$|\.review$|\.zip$
- Click View.
- When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.
- Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.
Most of the basic Regular Expressions (RegEx) and IP Address/Subnet needs are covered in the LANGuardian Tip Sheet.
And, of course, please contact us any time if you have any questions about web activity or indeed any other aspect of network monitoring with LANGuardian.
If you have any tips for tracking down suspicious top-level domains, please use the comment section below.