Characterizing Dark DNS Behavior

Oberheide, Jon; Karir, Manish; Mao, Z. Morley

doi:10.1007/978-3-540-73614-1_9

Cited by 28 publications

(12 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Note that the top 4 records are the same for the entire 3 months period. Further, in contrast with the results in 2007 by [15], that found that ANY records scored only 0.0199% of the entire perceived records, we record 52.23% as observed on the darknet space. As a result, we can safely assume that the recent trend of DNS amplification attacks are behind the increase of ANY records found on the darknet in the current year [4].…”

Section: ) Query Type Distributioncontrasting

confidence: 99%

Fingerprinting Internet DNS Amplification DDoS Activities

Fachkha

Bou‐Harb

Debbabi³

2014

2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

View full text Add to dashboard Cite

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.Comment: 5 pages, 2 figure

show abstract

Section: ) Query Type Distributioncontrasting

confidence: 99%

Fingerprinting Internet DNS Amplification DDoS Activities

Fachkha

Bou‐Harb

Debbabi³

2014

2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

View full text Add to dashboard Cite

show abstract

“…Attacks to the DNS infrastructure are inferred in [30], by analyzing significant changes in the distribution of conforming and non-conforming packet sizes under the cross entropy metric. Basic statistics of DNS queries are investigated in [31] through association with 'dark' (i.e., unused) address spaces and the development of honeydns, a tool that complements existing honeypots to prevent attackers from easily evading monitored networks. Basic statistics of DNS queries are investigated in [31] through association with 'dark' (i.e., unused) address spaces and the development of honeydns, a tool that complements existing honeypots to prevent attackers from easily evading monitored networks.…”

Section: Related Literaturementioning

confidence: 99%

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Aiello

Mongelli

Papaleo

2014

Int J Communication

View full text Add to dashboard Cite

The use of covert-channel methods to bypass security policies has increased considerably in the recent years. Malicious users neutralize security restriction by encapsulating protocols like peer-to-peer, chat or http proxy into other allowed protocols like Domain Name Server (DNS) or HTTP. This paper illustrates a machine learning approach to detect one particular covert-channel technique: DNS tunneling.Despite packet inspection may guarantee reliable intrusion detection in this context, it may suffer of scalability performance when a large set of sockets should be monitored in real time. Detecting the presence of DNS intruders by an aggregation-based monitoring is of main interest as it avoids packet inspection, thus preserving privacy and scalability. The proposed monitoring mechanism looks at simple statistical properties of protocol messages, such as statistics of packets inter-arrival times and of packets sizes. The analysis is complicated by two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field).Results from experiments conducted on a live network are obtained by replicating individual detections over successive samples over time and by making a global decision through a majority voting scheme. The technique overcomes traditional classifier limitations. An insightful analysis of the performance leads to discover a unique intrusion detection tool, applicable in the presence of different tunneled applications. ¶ The n s with an order of magnitude more (n s D 10 4 ) captures features with a higher measurement stability, thus allowing to reach the steady state after K=811 samples.

show abstract

“…A honeynet is used to collect bot-binaries which penetrate the botnets (Freiling et al, 2005;Abu Rajab et al, 2006;Stinson and Mitchell, 2007). There are different techniques to capture bots in honeynets (McCarty, 2003;Freiling et al, 2005;Abu Rajab et al, 2006;Dagon et al, 2006;Barford and Yegneswaran, 2007;Oberheide et al, 2007;Cremonini and Riccardi, 2009;Jing et al, 2009;Szymczyk, 2009;Rieck et al, 2010;Pham and Dacier, 2011). However, intruders developed novel methods to overwhelm honeynet traps (Kugisaki et al, 2007;Wurzinger et al, 2009).…”

Section: Taxonomy Of the Botnet Detection Phenomenonmentioning

confidence: 96%

Botnet detection techniques: review, future trends, and issues

Karim

Salleh

Shiraz

et al. 2014

J. Zhejiang Univ. - Sci. C

107

View full text Add to dashboard Cite

In recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.

show abstract

Characterizing Dark DNS Behavior

Cited by 28 publications

References 11 publications

Fingerprinting Internet DNS Amplification DDoS Activities

Fingerprinting Internet DNS Amplification DDoS Activities

DNS tunneling detection through statistical fingerprints of protocol messages and machine learning

Botnet detection techniques: review, future trends, and issues

Contact Info

Product

Resources

About