NetFort Advertising

How to Monitor Network Traffic For Suspicious Top-Level Domains

top level domains

Top-Level Domains – What are they and how to monitor traffic associated with them.

Back in 2011 ICANN approved a plan to expand the number of top level domains (TLDs). Shortly afterwards some analysts suggested that this could spell Dot-Trouble for businesses.

Move forward to 2015 and sure enough a few shady neighbourhoods have appeared on the Internet. Research done by Bluecoat shows that some of these Internet neighbourhoods have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content.

Beware - Suspect Websites

Blue Coat asserts that more than 95% of the sites on these 10 Top-Level Domains (TLDs) are suspect:

  1. .zip
  2. .review
  3. .country
  4. .kim
  5. .cricket
  6. .science
  7. .work
  8. .party
  9. .gq
  10. .link

We recommend that you monitor Internet traffic on your network and watch out for any client connecting to these suspicious TLDs. The best way to do this is to setup a SPAN or mirror port and monitor network traffic at your Internet gateway.

Flow based tools are not a good option for monitoring Internet traffic as they cannot look inside the HTTP header to see what domains users are trying to access. The video below explains how you can setup a SPAN or mirror port to monitor Internet traffic. Most managed switches will allow you to do this.

If you don’t have a managed switch there are many alternatives for SPAN or mirror ports. You just need to pick one to match your requirements.

The image below shows an example of how Wireshark can be used to look inside HTTP headers to extract top-level domain information. Wireshark is very useful for troubleshooting issues associated with a single client. However, it may become data overload if you connect it up to a SPAN or mirror port. If you want to do this you need to look at a commercial network traffic analysis tool like LANGuardian.

Top-Level domains bad neighborhoods

Monitoring Suspicious Top-Level Domain Activity with NetFort

The following procedure describes the steps to show any activity associated with these top-level domains (TLDs). The report can be saved on your LANGuardian system as a custom report and can be re-run any time updated information is needed. Alerts and automated reports are also supported.

  1. Click on Reports in the LANGuardian menu bar.
  2. In the Web section, click on Top Website Domains, LANGuardian displays the Top Website Domains report.
  3. In the Website Domain Name field (Matches regexp selected) place \.link$|\.gq$|\.party$|\.work$|\.science$|\.cricket$|\.kim$|\.country$|\.review$|\.zip$
  4. Click View.
  5. When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.
  6. Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.

Most of the basic Regular Expressions (RegEx) and IP Address/Subnet needs are covered in the LANGuardian Tip Sheet.

And, of course, please contact us any time if you have any questions about web activity or indeed any other aspect of network monitoring with LANGuardian.

Find out who is accessing suspicious top-levels domains on YOUR Network

Download a 30 day trial of LANGuardian and find out what users are accessing suspicious top-level domains. No need to install agents or client software. All you need is a SPAN or mirror port.

If you have any tips for tracking down suspicious top-level domains, please use the comment section below.

Darragh Delaney