The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


The Domain Name Service as an IDS


<< Previous INDEX Search src / Print Next >>
Date: Wed, 22 Feb 2006 14:23:12 +0200
From: Gadi Evron <ge@linuxbox.org.>
To: [email protected],
Subject: The Domain Name Service as an IDS
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeded SMTP AUTH authentication, not delayed by milter-greylist-1.7.5 (linuxbox.org [24.155.83.21]); Wed, 22 Feb 2006 06:24:40 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru

"How DNS can be used for detecting and monitoring badware in a network"

http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf

This is a very interesting although preliminary work by obviously 
skilled people. I haven't learned much but I am extremely happy others 
work on this than the people I already know! They also weren't too shy 
with credit, mentioning Florian Weimer and his Passive DNS project 
already at the abstract (quoted below). They even mention me for some 
reason.

Great paper guys!

Moving past Passive DNS Replication and blacklisting, they discuss what 
so far has been done for years using dnstop, and help us take it to the 
next level of DNS monitoring.

Someone should introduce them to Duane Wessels' (from ISC OARC) 
follow-up dnstop project, DSC. :)
http://dns.measurement-factory.com/tools/dsc/
https://oarc.isc.org/faq-dsc.html
http://www.caida.org/tools/utilities/dsc/
[Duane's lecture on the tool at the 1st DNS-OARC Workshop] 
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wessels-dsc.pdf

There has been some other interesting work done in this area by our very 
own David Dagon from Georgia Tech:
[Presentation from the 1st DNS-OARC Workshop] Botnet Detection and 
Response - The Network is the Infection: 
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
[Paper] Modeling Botnet Propagation Using Time Zones: 
http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf

-----
Abstract
SURFnet is looking for technologies to expand the ways they can detect 
network traffic anomalies like botnets. Since bots started using domain 
names for connection with their controller, tracking and removing them 
has become a hard task. This research is a first glance at the usability 
of DNS traffic and logs for detection of this malicious network 
activity. Detection of bots is possible by DNS information gathered from 
the network by placing counters and triggers on specific events in the 
data analysis. In combination with NetFlow information and IP addresses 
of known infected systems, detection of bots of network anomalies can be 
made visible. Also the behavior of a bot can be documented and 
additional information can be gathering about the bot. Using DNS data as 
a supplement to the existing detection systems can give more insight in
the suspicious network traffic. With some future research, this 
information can be used to compile a case against particular types of 
bot or spyware and help dismantling a remote controlled infrastructure 
as a whole.

Note
We started this research project with the question if the Passive DNS 
Software of Florian Weimer was useful for bot detection. We immediately 
found out that the sensor of the Passive DNS Software strips the source 
address from the collected data for privacy reasons, making this 
software not useful at all for our purpose. We deviated from the 
Research Plan (Plan van Aanpak) and took a more general approach to the 
question; ■Is gathered DNS traffic usable for badware detection■.
-----

        Gadi.


-- 
http://blogs.securiteam.com/

"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру