Inferring Internet denial-of-service activity

Moore, David; Shannon, Colleen; Brown, Douglas J.; Voelker, Geoffrey M.; Savage, Stefan

doi:10.1145/1132026.1132027

Cited by 735 publications

(361 citation statements)

References 5 publications

Supporting

Mentioning

345

Contrasting

Order By: Relevance

“…Aside from DNS mapping efforts, there should not be any legitimate DNS traffic for such an unused address space. We postulate that the observed dark DNS activity falls into the following classifications: (1) DNS mapping efforts such as that by Internet Systems Consortium [22], (2) backscatter [23] due to spoofed darknet traffic triggering subsequent DNS queries by monitoring systems, (3) misconfiguration, (4) PTR reconnaissance by malicious entities to identify live hosts for attack targeting. Table 2 illustrates the basic statistics of our three datasets.…”

Section: Discussionmentioning

confidence: 99%

Characterizing Dark DNS Behavior

Oberheide

Karir

Mao

2007

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of proactive defense when deploying darknet sensors by properly delegating reverse DNS authority. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.

show abstract

Section: Discussionmentioning

confidence: 99%

Characterizing Dark DNS Behavior

Oberheide

Karir

Mao

2007

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…• Availability: To our best knowledge there is no reliable data regarding denial-of-service (DoS) attacks on VPNs as operators do not publish figures for security reasons and the common backscatter analysis [25] cannot detect DoS attacks on VPNs. However, DoS attacks are expected to be become increasingly important as DoS attacks are very cheap to realize and yet effective [26].…”

Section: Security Objectivesmentioning

confidence: 99%

A survey on automatic configuration of virtual private networks

Rossberg

Schaefer

2011

Computer Networks

View full text Add to dashboard Cite

Virtual private networks (VPN) offer a secure data exchange over public networks. Despite being cheaper than leased lines, growing sizes and dynamic behavior of VPN nodes, e.g., for mobility or reasons of denial-of-service-attacks, make a manual configuration of large, dynamic VPN expensive.Consequently, a number of different VPN auto-configuration approaches have been invented and partially deployed over the last decade. This article identifies a comprehensive set of objectives to be fulfilled by IP-based VPN auto-configuration, explains and groups mechanisms, and analyzes their strengths and weaknesses with regards to the objectives. Finally, it identifies potential future directions of autonomous VPN deployment.

show abstract

“…Also, infected computers may join a botnet [5], a large collection of compromised hosts controlled by the attacker. The computational power of compromised hosts are valuable for attackers as these hosts can be misused for spam campaigns [17] or denial of service attacks [20].…”

Section: Introductionmentioning

confidence: 99%

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Egele¹,

Wurzinger²,

Kruegel

et al. 2009

Lecture Notes in Computer Science

118

View full text Add to dashboard Cite

Abstract. Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim's computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

show abstract

Inferring Internet denial-of-service activity

Cited by 735 publications

References 5 publications

Characterizing Dark DNS Behavior

Characterizing Dark DNS Behavior

A survey on automatic configuration of virtual private networks

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Contact Info

Product

Resources

About