ABSTRACT
Network-wide activity is when one computer (the originator) touches many others (the targets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies DNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server's location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable precision (70-80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.
- Mustafa Al-Bassam. Top Alexa 10,000 Heartbleed scan. https://github.com/musalbas/heartbleed-masstest/ blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/ top1000.txt, April 14 2014.Google Scholar
- Manos Antonakakis, David Dagon, Xiapu Luo, Roberto Perdisci, and Wenke Lee. A centralized monitoring infrastructure for improving DNS security. In Proc. of the 13th International Symposium on Recent Advances in Intrusion Detection, pages 18--37, Ottawa, Ontario, Canada, September 2010. Springer. Google ScholarDigital Library
- Arbor Networks. Worldwide infrastructure security report. Technical Report Volume IX, Arbor Networks, January 2014.Google Scholar
- Ignacio Bermudez, Marco Mellia, Maurizio M. Munafo, Ram Keralapura, and Antonio Nucci. DNS to the rescue: Discerning content and services in a tangled web. In Proc. of the ACM Internet Measurement Conference, pages 413--426, Boston, MA, November 2012. Google ScholarDigital Library
- S. Bortzmeyer. DNS query name minimisation to improve privacy. Work in progress (Internet draft draft-bortzmeyer-dns-qname-minimisation-02), May 2014.Google Scholar
- Carna Botnet. Internet census 2012: Port scanning /0 using insecure embedded devices. web page http://census2012.sourceforge.net/paper.html, March 2013.Google Scholar
- Leo Breiman. Random forests. Machine Learning, 45:5{32, October 2001. Google ScholarDigital Library
- Leo Breiman, Jerome Friedman, Richard Olshen, and Charles Stone. Classification and Regression Trees. Chapman and Hall, 1984.Google Scholar
- Nevil Brownlee. One-way traffic monitoring with iatmon. In Proc. of the Passive and Active Measurement Workshop, pages 179--188, Vienna, Austria, March 2012. Google ScholarDigital Library
- Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. Mapping the expansion of Google's serving infrastructure. In Proc. of the ACM Internet Measurement Conference, pages 313--326, Barcelona, Spain, October 2013. ACM. Google ScholarDigital Library
- Sebastian Castro, Duane Wessles, Marina Fomenkov, and kc Claffy. A day at the root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41{46, October 2008. Google ScholarDigital Library
- Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proc. of the ACM Internet Measurement Conference, pages 435--448, Vancouver, BC, Canada, November 2014. ACM. Google ScholarDigital Library
- Jakub Czyz, Kyle Lady, Sam G. Miller, Michael Bailey, Michael Kallitsis, and Manish Karir. Understanding IPv6 Internet background radiation. In IMC'13, pages 105--118, Barcelona, Spain, 2013. Google ScholarDigital Library
- Alberto Dainotti, Claudio Squarcell, Emile Aben, Kimberly C. Claffy, Marco Chiesa, Michele Russo, and Antonio Pescape. Analysis of country-wide internet outages caused by censorship. In Proc. of the ACM Internet Measurement Conference, pages 1--18, Berlin, Germany, November 2011. Google ScholarDigital Library
- Peter B. Danzig, Katia Obraczka, and Anant Kumar. An analysis of wide-area name server traffic: A study of the Domain Name System. In Proc. of the ACM SIGCOMM Conference, pages 281--292, January 1992. Google ScholarDigital Library
- DNS-OARC. Day in the life of the internet (DITL) 2014. https://www.dns-oarc.net/oarc/data/ditl, April 2014.Google Scholar
- Zakir Durumeric, Michael Bailey, and J. Alex Halderman. An Internet-wide view of Internet-wide scanning. In Proc. of the 23rd USENIX Security Symposium, pages 65--78, San Diego, CA, August 2014. USENIX. Google ScholarDigital Library
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. The matter of Heartbleed. In Proc. of the ACM Internet Measurement Conference, pages 475--488, Vancouver, BC, Canada, November 2014. ACM. Google ScholarDigital Library
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Proc. of the USENIX Security Symposium, pages 605--620, Washington, DC, USA, August 2013. USENIX. Google ScholarDigital Library
- Robert Edmonds. ISC passive DNS architecture. Technical report, Internet Systems Consortium, Inc., March 2012.Google Scholar
- Xun Fan, Ethan Katz-Bassett, and John Heidemann. Assessing affinity between users and CDN sites. In Proc. of the 7th Workshop on Traffic Monitoring and Analysis (TMA), pages 95--110, Barcelona, Spain, April 2015. Springer.Google ScholarCross Ref
- Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, and Jian Jiang Haixing Duan. An empirical reexamination of global DNS behavior. In Proc. of the ACM SIGCOMM Conference, pages 267--278, Hong Kong, China, 2013. Google ScholarDigital Library
- Carrie Gates. Coordinated scan detection. In Proc. of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2009. The Internet Society.Google Scholar
- Kenneth Geers, Darien Kindlund, Ned Moran, and Rob Rachwald. World War C: Understanding nation-state motives behind today's advanced cyber attacks. Technical report, FireEye, September 2014.Google Scholar
- John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett, and Joseph Bannister. Census and survey of the visible Internet. In Proc. of the ACM Internet Measurement Conference, pages 169--182, Vouliagmeni, Greece, October 2008. ACM. Google ScholarDigital Library
- Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. Measuring and detecting fast- ux service networks. In Proc. of the ISOC Network and Distributed System Security Symposium, San Diego, CA, USA, February 2008. The Internet Society.Google Scholar
- Keisuke Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, and Ichiro Mizukoshi. Detecting mass-mailing worm infected hosts by mining DNS traffic data. In Proc. of the ACM SIGCOMM MineNet Workshop, pages 159--164, Philadelphia, PA, August 2005. Google ScholarDigital Library
- Julian Kirsch, Christian Grothoff, Monika Ermert, Jacob Appelbaum, Laura Poitras, and Henrik Moltke. NSA/GCHQ: The HACIENDA program for internet colonization. C'T Magazine, Aug.15 2014.Google Scholar
- Matthew Lentz, Dave Levin, Jason Castonguay, Neil Spring, and Bobby Bhattacharjee. D-mystifying the D-root address change. In Proc. of the ACM Internet Measurement Conference, pages 57--62, Barcelona, Spain, October 2013. ACM. Google ScholarDigital Library
- Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Márk Félegyházi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage. Click trajectories: End-to-end analysis of the spam value chain. In Proc. of the IEEE Symposium on Security and Privacy, pages 431--446, Oakland, CA, USA, May 2011. IEEE. Google ScholarDigital Library
- Zhichun Li, Anup Goyal, Yan Chen, and Aleksandar Kuzmanovic. Measurement and diagnosis of address misconfigured P2P traffic. In INFOCOM'10 , pages 1--9, San Diego, CA, March 2010. Google ScholarDigital Library
- MaxMind LLC. GeoIP. http://www.maxmind.com/geoip .Google Scholar
- Damon McCoy, Kevin Bauer, Dirk Grunwald, Tadayoshi Kohno, and Douglas Sicker. Shining light in dark places: Understanding the tor network. In Proc. of the IEEE International Workshop on Performance Evaluation of Tracking and Surveillance (PETS), pages 63--76, Leuven, Belgium, July 2008. Google ScholarDigital Library
- Jon Oberheide, Manish Karir, Z. Morley Mao, and Farnam Jahanian. Characterizing dark DNS behavior. In Proc. of the 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), pages 140--156, Lucerne, Switzerland, July 2007. Springer. Google ScholarDigital Library
- Robert O'Harrow, Jr. Cyber search engine Shodan exposes industrial control systems to new risks. The Washington Post, June 3 2012.Google Scholar
- OpenDNS. DNSCrypt: Introducing DNSCrypt. web page http://www.opendns.com/about/innovations/dnscrypt/, January 2014.Google Scholar
- Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. Characteristics of Internet background radiation. In Proc. of the ACM Internet Measurement Conference, pages 27--40, Sicily, Italy, 2004. Google ScholarDigital Library
- Nicole Perlroth. Thought safe, websites find the door ajar. New York Times, page A1, Apr. 9 2014.Google Scholar
- Dave Plonka. Flawed routers flood university of wisconsin internet time server. http://pages.cs.wisc.edu/~plonka/netgear-sntp, 2003.Google Scholar
- David Plonka and Paul Barford. Context-aware clustering of DNS query traffic. In Proc. of the ACM Internet Measurement Conference, pages 217--229, Vouliagmeni, Greece, October 2008. Google ScholarDigital Library
- Niels Provos. A virutal honeypot framework. In Usenix Security Symposium 2004, pages 1--14, San Diego, CA, August 2004. Google ScholarDigital Library
- Lin Quan, John Heidemann, and Yuri Pradkin. Trinocular: understanding Internet reliability through adaptive probing. In Proc. of the ACM SIGCOMM Conference, pages 255--266, Hong Kong, China, August 2013. Google ScholarDigital Library
- Bernhard Scholkopf and Alexander J. Smola. Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, 2001. Google ScholarDigital Library
- Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. On measuring the client-side DNS infrastructure. In Proc. of the ACM Internet Measurement Conference, pages 77--90, Barcelona, Spain, October 2013. Google ScholarDigital Library
- Farsight Security. SIE (Security Information Exchange). https://www.farsightsecurity.com/Services/SIE/, 2013.Google Scholar
- Shadow server foundation. http://www.shadowserver.org/ .Google Scholar
- Stuart Staniford, James A. Hoagland, and Joseph M. McAlerney. Practical automated detection of stealthy portscans. Journal of Comptuer Security, 10(1):105--136, 2002. Google ScholarDigital Library
- Ionut Trestian, Supranamaya Ranjan, Aleksandar Kuzmanovi, and Antonio Nucci. Unconstrained endpoint profiling (Googling the Internet). In Proc. of the ACM SIGCOMM Conference, pages 279--290, Seattle, WA, Aug 2008. Google ScholarDigital Library
- USC/LANDER project. Internet address census, datasets internet_address_census it63w, it63c, it63j, it63g, it64w, it64c, it64j, it64g. web page http://www.isi.edu/ant/lander, January (it63) and April (it64) 2015.Google Scholar
- Paul Vixie. Passive DNS collection and analysis, the 'dnstap' approach. Keynote talk at FloCon, January 2014.Google Scholar
- Florian Weimer. Passive DNS replication. In Proc. of the 17th Forum of Incident Response and Security Teams (FIRST), Singapore, April 2005.Google Scholar
- Duane Wessels and Marina Fomenkov. Wow, that's a lot of packets. In Proc. of the Passive and Active Measurement Workshop, La Jolla, CA, April 2003.Google Scholar
- Wikipedia. Gini coefficient. http://en.wikipedia.org/wiki/Gini_coefficient, 2015.Google Scholar
- Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, and Geoff Houston. Internet background radiation revisited. In Proc. of the 10th ACM Internet Measurement Conference, pages 62--73, Melbourne, Australia, November 2010. ACM. Google ScholarDigital Library
- Sandeep Yadav, Ashwath Kumar, Krishna Reddy, A.L. Narasimha Reddy, and Supranamaya Ranjan. Detecting algorithmically generated malicious domain names. In Proc. of the ACM Internet Measurement Conference, pages 48--61, Melbourne, Australia, November 2010. Google ScholarDigital Library
- Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. Passive monitoring of DNS anomalies. In Proc. of the 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), pages 129--139, Lucerne, Switzerland, 2007. Google ScholarDigital Library
- Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. Connection-oriented DNS to improve privacy and security. In Proc. of the 36th IEEE Symposium on Security and Privacy, pages 171--186, San Jose, Californa, USA, May 2015. IEEE.Google ScholarDigital Library
Index Terms
- Detecting Malicious Activity with DNS Backscatter
Recommendations
Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis
In this paper, we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in ...
Detecting Malicious Activity With DNS Backscatter Over Time
Network-wide activity is when one computer the originator touches many others the targets. Motives for activity may be benign mailing lists, content-delivery networks, and research scanning, malicious spammers and scanners for security vulnerabilities, ...
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent SystemsA large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Comments