lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43FC57B0.8080602@linuxbox.org>
Date: Wed Feb 22 12:24:57 2006
From: ge at linuxbox.org (Gadi Evron)
Subject: The Domain Name Service as an IDS

"How DNS can be used for detecting and monitoring badware in a network"

http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf

This is a very interesting although preliminary work by obviously 
skilled people. I haven't learned much but I am extremely happy others 
work on this than the people I already know! They also weren't too shy 
with credit, mentioning Florian Weimer and his Passive DNS project 
already at the abstract (quoted below). They even mention me for some 
reason.

Great paper guys!

Moving past Passive DNS Replication and blacklisting, they discuss what 
so far has been done for years using dnstop, and help us take it to the 
next level of DNS monitoring.

Someone should introduce them to Duane Wessels' (from ISC OARC) 
follow-up dnstop project, DSC. :)
http://dns.measurement-factory.com/tools/dsc/
https://oarc.isc.org/faq-dsc.html
http://www.caida.org/tools/utilities/dsc/
[Duane's lecture on the tool at the 1st DNS-OARC Workshop] 
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wessels-dsc.pdf

There has been some other interesting work done in this area by our very 
own David Dagon from Georgia Tech:
[Presentation from the 1st DNS-OARC Workshop] Botnet Detection and 
Response - The Network is the Infection: 
http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
[Paper] Modeling Botnet Propagation Using Time Zones: 
http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf

-----
Abstract
SURFnet is looking for technologies to expand the ways they can detect 
network traffic anomalies like botnets. Since bots started using domain 
names for connection with their controller, tracking and removing them 
has become a hard task. This research is a first glance at the usability 
of DNS traffic and logs for detection of this malicious network 
activity. Detection of bots is possible by DNS information gathered from 
the network by placing counters and triggers on specific events in the 
data analysis. In combination with NetFlow information and IP addresses 
of known infected systems, detection of bots of network anomalies can be 
made visible. Also the behavior of a bot can be documented and 
additional information can be gathering about the bot. Using DNS data as 
a supplement to the existing detection systems can give more insight in
the suspicious network traffic. With some future research, this 
information can be used to compile a case against particular types of 
bot or spyware and help dismantling a remote controlled infrastructure 
as a whole.

Note
We started this research project with the question if the Passive DNS 
Software of Florian Weimer was useful for bot detection. We immediately 
found out that the sensor of the Passive DNS Software strips the source 
address from the collected data for privacy reasons, making this 
software not useful at all for our purpose. We deviated from the 
Research Plan (Plan van Aanpak) and took a more general approach to the 
question; ?Is gathered DNS traffic usable for badware detection?.
-----

	Gadi.

-- 
http://blogs.securiteam.com/

"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ