The Domain Name Service as an IDS

To: bugtraq@xxxxxxxxxxxxxxxxx, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: The Domain Name Service as an IDS
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Wed, 22 Feb 2006 14:23:12 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

"How DNS can be used for detecting and monitoring badware in a network"

http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf

This is a very interesting although preliminary work by obviouslyskilled people. I haven't learned much but I am extremely happy otherswork on this than the people I already know! They also weren't too shywith credit, mentioning Florian Weimer and his Passive DNS projectalready at the abstract (quoted below). They even mention me for somereason.


Great paper guys!

Moving past Passive DNS Replication and blacklisting, they discuss whatso far has been done for years using dnstop, and help us take it to thenext level of DNS monitoring.

Someone should introduce them to Duane Wessels' (from ISC OARC)follow-up dnstop project, DSC. :)

http://dns.measurement-factory.com/tools/dsc/
https://oarc.isc.org/faq-dsc.html
http://www.caida.org/tools/utilities/dsc/

[Duane's lecture on the tool at the 1st DNS-OARC Workshop]http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wessels-dsc.pdf

There has been some other interesting work done in this area by our veryown David Dagon from Georgia Tech:[Presentation from the 1st DNS-OARC Workshop] Botnet Detection andResponse - The Network is the Infection:http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf[Paper] Modeling Botnet Propagation Using Time Zones:http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf


-----
Abstract

SURFnet is looking for technologies to expand the ways they can detectnetwork traffic anomalies like botnets. Since bots started using domainnames for connection with their controller, tracking and removing themhas become a hard task. This research is a first glance at the usabilityof DNS traffic and logs for detection of this malicious networkactivity. Detection of bots is possible by DNS information gathered fromthe network by placing counters and triggers on specific events in thedata analysis. In combination with NetFlow information and IP addressesof known infected systems, detection of bots of network anomalies can bemade visible. Also the behavior of a bot can be documented andadditional information can be gathering about the bot. Using DNS data asa supplement to the existing detection systems can give more insight inthe suspicious network traffic. With some future research, thisinformation can be used to compile a case against particular types ofbot or spyware and help dismantling a remote controlled infrastructureas a whole.


Note

We started this research project with the question if the Passive DNSSoftware of Florian Weimer was useful for bot detection. We immediatelyfound out that the sensor of the Passive DNS Software strips the sourceaddress from the collected data for privacy reasons, making thissoftware not useful at all for our purpose. We deviated from theResearch Plan (Plan van Aanpak) and took a more general approach to thequestion; ”Is gathered DNS traffic usable for badware detection”.

-----

        Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.

Prev by Date: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Next by Date: TSLSA-2006-0008 - multi
Previous by thread: IRM 018: Winamp 5.13 m3u Playlist Buffer Overflow
Next by thread: TSLSA-2006-0008 - multi
Index(es):
- Date
- Thread