A Centralized Monitoring Infrastructure for Improving DNS Security

Antonakakis, Manos; Dagon, David; Wang, Liu; Perdisci, Roberto; Lee, Wenke; Bellmor, Justin

doi:10.1007/978-3-642-15512-3_2

Cited by 52 publications

(58 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work, on the other hand, tracks DNS records of newly registered domains to infer spatial and temporal characteristics. Anax scanned the recursive servers to find out anomaly in the cached records and detect poisoning attacks [1]. In contrast, we monitor the records in the zones' authoritative servers to discover the characteristics in the malicious domains' registration.…”

Section: Related Workmentioning

confidence: 99%

“…The rate at which new domains appear makes quickly developing a reputation for these domains particularly challenging: in our analysis, we find that over tens of thousands of new domains are registered every day. Existing DNS reputation systems use the characteristics of DNS lookups from resolvers that look up a domain to distinguish legitimate from malicious domains [1,2]. Unfortunately, these systems must observe a significant volume of DNS lookups before determining the reputation for a domain, which only occurs after compromise has taken place.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Monitoring the initial DNS behavior of malicious domains

Hao

Feamster

Pandrangi³

2011

Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference

View full text Add to dashboard Cite

Attackers often use URLs to advertise scams or propagate malware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains "just in time" before an attack. This paper explores the DNS behavior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behavioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early detection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55% of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are distributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also identify a set of "tainted" ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Monitoring the initial DNS behavior of malicious domains

Hao

Feamster

Pandrangi³

2011

Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…Observing cache changes in multiple recursive servers is helpful in detecting cache poisoning attacks [24]. However, all the above approaches, except [21] which is mainly manual, require additional sources of information, which is gathered actively using common tools like dig or whois.…”

Section: Related Workmentioning

confidence: 99%

Multi-dimensional aggregation for DNS monitoring

Dolberg

Jérôme

Engel

2013

38th Annual IEEE Conference on Local Computer Networks

View full text Add to dashboard Cite

Abstract-DNS is an essential service in the Internet as it allows to translate human language based domain names into IP addresses. DNS traffic reflects the user activities and behaviors. It is thus a helpful source of information in the context of large scale network monitoring. In particular, passive DNS monitoring garnered much interest for the security perspectives by highlighting the services the machines want to access. In this paper, we propose a new method for assessing the dynamics of the match between DNS names and IP subnetworks using an efficient aggregating scheme combined with relevant steadiness metrics. The evaluation relies on real data collected over several months and is able to detect anomalies related to malicious domains.

show abstract

“…Statistical evaluation is used in [2], respectively whitelists and classifiers are referred to, to detect anomalous patterns in RR data for rervealing poisoning attacks. The authors in [3] describe a large-scale passive DNS tool, where features are used to detect anomalies, as for example euclidean distances between entries to identify changes in the lifetimes of domains, etc.…”

Section: Related Workmentioning

confidence: 99%