Enabling Network Security Through Active DNS Datasets

Kountouras, Athanasios; Kintis, Panagiotis; Lever, Chaz; Chen, Yizheng; Nadji, Yacin; Dagon, David; Antonakakis, Manos; Joffe, Rodney

doi:10.1007/978-3-319-45719-2_9

Cited by 53 publications

(47 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Active DNS: We also utilize an active DNS (ADN S) dataset, which we obtain daily from the Active DNS project [24]. Since the duration of this dataset is less than a year, it does not have a complete temporal overlap with our PDN S dataset.…”

Section: Datasetsmentioning

confidence: 99%

Hiding in Plain Sight

Kintis

Miramirkhani

Lever

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting, " in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first largescale, empirical study of combosquatting by analyzing more than 468 billion DNS records-collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.

show abstract

Section: Datasetsmentioning

confidence: 99%

Hiding in Plain Sight

Kintis

Miramirkhani

Lever

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, if this is not the case in the future, it would be easy to find alternatives. Given that the important features we extract depend more on the temporal registration information than the contact details of the registrant, we could replace our WHOIS features with DNS tracking systems like Active DNS [23] or the Alembic system [25].…”

Section: Whois and Gdprmentioning

confidence: 99%

Detecting DGA domains with recurrent neural networks and side information

Curtin

Gardner

Grzonkowski

et al. 2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector-such as an endpoint security application-or alternately the model could be used as a part of a larger malware detection system. CCS CONCEPTS• Security and privacy → Malware and its mitigation; Artificial immune systems; Web protocol security; • Computing methodologies → Neural networks.

show abstract

“…Legitimate use-cases for CNAME chains must ensure the length is supported by all DNS resolvers, if they want to support all users. We inspected the Active DNS [21] data set to identify benign chains. We extracted the CNAME entries from 2017-10-05 to reconstruct the longest benign chains, which consists of eight elements (seven CNAMEs and one final RR).…”

Section: Recursion Depth Limitmentioning

confidence: 99%

DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives

Bushart

Rossow

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present DNS Unchained, a new application-layer DoS attack against core DNS infrastructure that for the first time uses amplification. To achieve an attack amplification of 8.51, we carefully chain CNAME records and force resolvers to perform deep name resolutionseffectively overloading a target authoritative name server with valid requests. We identify 178 508 potential amplifiers, of which 74.3% can be abused in such an attack due to the way they cache records with low Time-to-Live values. In essence, this allows a single modern consumer uplink to downgrade availability of large DNS setups. To tackle this new threat, we conclude with an overview of countermeasures and suggestions for DNS servers to limit the impact of DNS chaining attacks.

show abstract

Enabling Network Security Through Active DNS Datasets

Cited by 53 publications

References 15 publications

Hiding in Plain Sight

Hiding in Plain Sight

Detecting DGA domains with recurrent neural networks and side information

DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives

Contact Info

Product

Resources

About