ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] The Domain Name Service as an IDS



> ------------------------------
> 
> Message: 4
> Date: Wed, 22 Feb 2006 14:25:34 +0200
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> Subject: [Dailydave] The Domain Name Service as an IDS
> To: dailydave <dailydave@xxxxxxxxxxxxxxxxxxxxx>
> Message-ID: <43FC583E.10205@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> "How DNS can be used for detecting and monitoring badware in 
> a network"
> 
> http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
> 
> This is a very interesting although preliminary work by obviously 
> skilled people. I haven't learned much but I am extremely 
> happy others 
> work on this than the people I already know! They also 
> weren't too shy 
> with credit, mentioning Florian Weimer and his Passive DNS project 
> already at the abstract (quoted below). They even mention me for some 
> reason.
> 
> Great paper guys!
> 
> Moving past Passive DNS Replication and blacklisting, they 
> discuss what 
> so far has been done for years using dnstop, and help us take 
> it to the 
> next level of DNS monitoring.
> 
> Someone should introduce them to Duane Wessels' (from ISC OARC) 
> follow-up dnstop project, DSC. :)
> http://dns.measurement-factory.com/tools/dsc/
> https://oarc.isc.org/faq-dsc.html
> http://www.caida.org/tools/utilities/dsc/
> [Duane's lecture on the tool at the 1st DNS-OARC Workshop] 
> http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wess
> els-dsc.pdf
> 
> There has been some other interesting work done in this area 
> by our very 
> own David Dagon from Georgia Tech:
> [Presentation from the 1st DNS-OARC Workshop] Botnet Detection and 
> Response - The Network is the Infection: 
> http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf
> [Paper] Modeling Botnet Propagation Using Time Zones: 
> http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf
> 
> -----
> Abstract
> SURFnet is looking for technologies to expand the ways they 
> can detect 
> network traffic anomalies like botnets. Since bots started 
> using domain 
> names for connection with their controller, tracking and 
> removing them 
> has become a hard task. This research is a first glance at 
> the usability 
> of DNS traffic and logs for detection of this malicious network 
> activity. Detection of bots is possible by DNS information 
> gathered from 
> the network by placing counters and triggers on specific 
> events in the 
> data analysis. In combination with NetFlow information and IP 
> addresses 
> of known infected systems, detection of bots of network 
> anomalies can be 
> made visible. Also the behavior of a bot can be documented and 
> additional information can be gathering about the bot. Using 
> DNS data as 
> a supplement to the existing detection systems can give more 
> insight in
> the suspicious network traffic. With some future research, this 
> information can be used to compile a case against particular types of 
> bot or spyware and help dismantling a remote controlled 
> infrastructure 
> as a whole.
> 
> Note
> We started this research project with the question if the Passive DNS 
> Software of Florian Weimer was useful for bot detection. We 
> immediately 
> found out that the sensor of the Passive DNS Software strips 
> the source 
> address from the collected data for privacy reasons, making this 
> software not useful at all for our purpose. We deviated from the 
> Research Plan (Plan van Aanpak) and took a more general 
> approach to the 
> question; ”Is gathered DNS traffic usable for badware detection”.
> -----
> 
>       Gadi.
> 
> -- 
> http://blogs.securiteam.com/
> 
> "Out of the box is where I live".
>       -- Cara "Starbuck" Thrace, Battlestar Galactica.
> 
> 
> ------------------------------
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> 
> End of Dailydave Digest, Vol 7, Issue 23
> ****************************************
> 



 




Copyright © Lexa Software, 1996-2009.