Fast and Evasive Attacks: Highlighting the Challenges Ahead

Rajab, Moheeb Abu; Monrose, Fabian; Terzis, Andreas

doi:10.1007/11856214_11

Cited by 23 publications

(11 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous work has demonstrated the ease of detecting the location of general network sensors [10,11] through active probing. Recent work by Rajab et al [12] describes how evasive techniques can be used by malware to detect honeypots by selective sampling of the IP address space. Discrepancies in the behavior of IP network stacks can also be exploited for sensor detection, as demonstrated by shown the Honeyd detector named Winnie [13].…”

Section: Related Workmentioning

confidence: 99%

Characterizing Dark DNS Behavior

Oberheide

Karir

Mao

2007

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of proactive defense when deploying darknet sensors by properly delegating reverse DNS authority. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.

show abstract

Section: Related Workmentioning

confidence: 99%

Characterizing Dark DNS Behavior

Oberheide

Karir

Mao

2007

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…Rajab et al have presented an efficient probe-response attack that can be used to discover the locations of network monitors deployed on the (wired) Internet [16]. A similar technique could potentially be applied in the context of mobile infections.…”

Section: B Evasive Wormsmentioning

confidence: 99%

On Using Mobility to Propagate Malware

Sarat

Terzis

2007

2007 5th International Symposium on Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks and Workshops

Self Cite

View full text Add to dashboard Cite

Abstract-Mobility can be exploited to spread malware among wireless nodes. In this paper, we present an analytical model for estimating the evolution of infections spanning multiple network domains that host mobile nodes. We validate the accuracy of the proposed model by comparing its predictions to simulations driven by realistic mobility patterns. Our results show that such a mobile infection requires less than a day to infect the majority of a mobile population with thousands of wireless nodes spanning hundreds of network domains. Moreover, if mobile nodes are allowed to infect nodes within the same domain that are connected to the wired network, then an even smaller number of mobile nodes can inflict comparable damage in similar time frames. Unfortunately, these infections generate negligible activity at global malware monitoring stations (e.g., network telescopes and honeypots), which contributes to their stealthiness. By observing the infection's spatial evolution we show that popular domains are infected during the early stages of the infection. This observation is likely to be useful in designing countermeasures against mobile infections. By placing monitors in approximately 10% of the most visited domains, we can detect the mobile worm before it reaches a majority of the population. Finally, we elucidate why simply placing telescopes in just the popular domains is not sufficient for early detection.

show abstract

“…The latter type of scan significantly reduces the burden on remote networks and is useful when a 5-10-s estimate of the number of responsive hosts (rather than their IP addresses) is required. While we do not specifically cover dynamic scope reduction (e.g., using prior scan history [46], live feedback [57], or external information [25]), our techniques may be used in conjunction with such approaches to optimally load-balance the traffic across target networks. While several large-scale measurements have been conducted in the past [6], [14], [18], [44], researchers initially considering a similar project are often faced with delays on the order of months for individual tests to run [6], [44].…”

Section: Introductionmentioning

confidence: 99%

Demystifying Internet-Wide Service Discovery

Leonard

Loguinov

2013

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Abstract-This paper develops a high-performance, Internet-wide service discovery tool, which we call IRLscanner, whose main design objectives have been to maximize politeness at remote networks, allow scanning rates that achieve coverage of the Internet in minutes/hours (rather than weeks/months), and significantly reduce administrator complaints. Using IRLscanner and 24-h scans, we perform 21 Internet-wide experiments using six different protocols (i.e., DNS, HTTP, SMTP, EPMAP, ICMP, and UDP ECHO), demonstrate the usefulness of ACK scans in detecting live hosts behind stateless firewalls, and undertake the first Internet-wide OS fingerprinting. In addition, we analyze the feedback generated (e.g., complaints, IDS alarms) and suggest novel approaches for reducing the amount of blowback during similar studies, which should enable researchers to collect valuable experimental data in the future with significantly fewer hurdles.

show abstract

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Cited by 23 publications

References 19 publications

Characterizing Dark DNS Behavior

Characterizing Dark DNS Behavior

On Using Mobility to Propagate Malware

Demystifying Internet-Wide Service Discovery

Contact Info

Product

Resources

About