The Domain Name Service as an IDS
"How DNS can be used for detecting and monitoring badware in a network"
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
This is a very interesting although preliminary work by obviously
skilled people. I haven't learned much but I am extremely happy others
work on this than the people I already know! They also weren't too shy
with credit, mentioning Florian Weimer and his Passive DNS project
already at the abstract (quoted below). They even mention me for some
reason.
Great paper guys!
Moving past Passive DNS Replication and blacklisting, they discuss what
so far has been done for years using dnstop, and help us take it to the
next level of DNS monitoring.
Someone should introduce them to Duane Wessels' (from ISC OARC)
follow-up dnstop project, DSC. :)
http://dns.measurement-factory.com/tools/dsc/
https://oarc.isc.org/faq-dsc.html
http://www.caida.org/tools/utilities/dsc/
[Duane's lecture on the tool at the 1st DNS-OARC Workshop]
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wessels-dsc.pdf
There has been some other interesting work done in this area by our very
own David Dagon from Georgia Tech:
[Presentation from the 1st DNS-OARC Workshop] Botnet Detection and
Response - The Network is the Infection:
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
[Paper] Modeling Botnet Propagation Using Time Zones:
http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf
-----
Abstract
SURFnet is looking for technologies to expand the ways they can detect
network traffic anomalies like botnets. Since bots started using domain
names for connection with their controller, tracking and removing them
has become a hard task. This research is a first glance at the usability
of DNS traffic and logs for detection of this malicious network
activity. Detection of bots is possible by DNS information gathered from
the network by placing counters and triggers on specific events in the
data analysis. In combination with NetFlow information and IP addresses
of known infected systems, detection of bots of network anomalies can be
made visible. Also the behavior of a bot can be documented and
additional information can be gathering about the bot. Using DNS data as
a supplement to the existing detection systems can give more insight in
the suspicious network traffic. With some future research, this
information can be used to compile a case against particular types of
bot or spyware and help dismantling a remote controlled infrastructure
as a whole.
Note
We started this research project with the question if the Passive DNS
Software of Florian Weimer was useful for bot detection. We immediately
found out that the sensor of the Passive DNS Software strips the source
address from the collected data for privacy reasons, making this
software not useful at all for our purpose. We deviated from the
Research Plan (Plan van Aanpak) and took a more general approach to the
question; ”Is gathered DNS traffic usable for badware detection”.
-----
Gadi.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.