Detecting Malicious Activity with DNS Backscatter

Authors:
Kensuke Fukuda

National Institute of Informatics / Sokendai, Tokyo, Japan

National Institute of Informatics / Sokendai, Tokyo, Japan
View Profile

,
John Heidemann

University of Southern California / Information Sciences Institute, Marina del Rey, CA, USA

University of Southern California / Information Sciences Institute, Marina del Rey, CA, USA
View Profile

IMC '15: Proceedings of the 2015 Internet Measurement ConferenceOctober 2015Pages 197–210https://doi.org/10.1145/2815675.2815706

Published:28 October 2015Publication History

IMC '15: Proceedings of the 2015 Internet Measurement Conference

Pages 197–210

ABSTRACT

Network-wide activity is when one computer (the originator) touches many others (the targets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies DNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server's location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable precision (70-80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.

References

Mustafa Al-Bassam. Top Alexa 10,000 Heartbleed scan. https://github.com/musalbas/heartbleed-masstest/ blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/ top1000.txt, April 14 2014.Google Scholar
Manos Antonakakis, David Dagon, Xiapu Luo, Roberto Perdisci, and Wenke Lee. A centralized monitoring infrastructure for improving DNS security. In Proc. of the 13th International Symposium on Recent Advances in Intrusion Detection, pages 18--37, Ottawa, Ontario, Canada, September 2010. Springer. Google ScholarDigital Library
Arbor Networks. Worldwide infrastructure security report. Technical Report Volume IX, Arbor Networks, January 2014.Google Scholar
Ignacio Bermudez, Marco Mellia, Maurizio M. Munafo, Ram Keralapura, and Antonio Nucci. DNS to the rescue: Discerning content and services in a tangled web. In Proc. of the ACM Internet Measurement Conference, pages 413--426, Boston, MA, November 2012. Google ScholarDigital Library
S. Bortzmeyer. DNS query name minimisation to improve privacy. Work in progress (Internet draft draft-bortzmeyer-dns-qname-minimisation-02), May 2014.Google Scholar
Carna Botnet. Internet census 2012: Port scanning /0 using insecure embedded devices. web page http://census2012.sourceforge.net/paper.html, March 2013.Google Scholar
Leo Breiman. Random forests. Machine Learning, 45:5{32, October 2001. Google ScholarDigital Library
Leo Breiman, Jerome Friedman, Richard Olshen, and Charles Stone. Classification and Regression Trees. Chapman and Hall, 1984.Google Scholar
Nevil Brownlee. One-way traffic monitoring with iatmon. In Proc. of the Passive and Active Measurement Workshop, pages 179--188, Vienna, Austria, March 2012. Google ScholarDigital Library
Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. Mapping the expansion of Google's serving infrastructure. In Proc. of the ACM Internet Measurement Conference, pages 313--326, Barcelona, Spain, October 2013. ACM. Google ScholarDigital Library
Sebastian Castro, Duane Wessles, Marina Fomenkov, and kc Claffy. A day at the root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41{46, October 2008. Google ScholarDigital Library
Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proc. of the ACM Internet Measurement Conference, pages 435--448, Vancouver, BC, Canada, November 2014. ACM. Google ScholarDigital Library
Jakub Czyz, Kyle Lady, Sam G. Miller, Michael Bailey, Michael Kallitsis, and Manish Karir. Understanding IPv6 Internet background radiation. In IMC'13, pages 105--118, Barcelona, Spain, 2013. Google ScholarDigital Library
Alberto Dainotti, Claudio Squarcell, Emile Aben, Kimberly C. Claffy, Marco Chiesa, Michele Russo, and Antonio Pescape. Analysis of country-wide internet outages caused by censorship. In Proc. of the ACM Internet Measurement Conference, pages 1--18, Berlin, Germany, November 2011. Google ScholarDigital Library
Peter B. Danzig, Katia Obraczka, and Anant Kumar. An analysis of wide-area name server traffic: A study of the Domain Name System. In Proc. of the ACM SIGCOMM Conference, pages 281--292, January 1992. Google ScholarDigital Library
DNS-OARC. Day in the life of the internet (DITL) 2014. https://www.dns-oarc.net/oarc/data/ditl, April 2014.Google Scholar
Zakir Durumeric, Michael Bailey, and J. Alex Halderman. An Internet-wide view of Internet-wide scanning. In Proc. of the 23rd USENIX Security Symposium, pages 65--78, San Diego, CA, August 2014. USENIX. Google ScholarDigital Library
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. The matter of Heartbleed. In Proc. of the ACM Internet Measurement Conference, pages 475--488, Vancouver, BC, Canada, November 2014. ACM. Google ScholarDigital Library
Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Proc. of the USENIX Security Symposium, pages 605--620, Washington, DC, USA, August 2013. USENIX. Google ScholarDigital Library
Robert Edmonds. ISC passive DNS architecture. Technical report, Internet Systems Consortium, Inc., March 2012.Google Scholar
Xun Fan, Ethan Katz-Bassett, and John Heidemann. Assessing affinity between users and CDN sites. In Proc. of the 7th Workshop on Traffic Monitoring and Analysis (TMA), pages 95--110, Barcelona, Spain, April 2015. Springer.Google ScholarCross Ref
Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, and Jian Jiang Haixing Duan. An empirical reexamination of global DNS behavior. In Proc. of the ACM SIGCOMM Conference, pages 267--278, Hong Kong, China, 2013. Google ScholarDigital Library
Carrie Gates. Coordinated scan detection. In Proc. of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2009. The Internet Society.Google Scholar
Kenneth Geers, Darien Kindlund, Ned Moran, and Rob Rachwald. World War C: Understanding nation-state motives behind today's advanced cyber attacks. Technical report, FireEye, September 2014.Google Scholar
John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett, and Joseph Bannister. Census and survey of the visible Internet. In Proc. of the ACM Internet Measurement Conference, pages 169--182, Vouliagmeni, Greece, October 2008. ACM. Google ScholarDigital Library
Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. Measuring and detecting fast- ux service networks. In Proc. of the ISOC Network and Distributed System Security Symposium, San Diego, CA, USA, February 2008. The Internet Society.Google Scholar
Keisuke Ishibashi, Tsuyoshi Toyono, Katsuyasu Toyama, Masahiro Ishino, Haruhiko Ohshima, and Ichiro Mizukoshi. Detecting mass-mailing worm infected hosts by mining DNS traffic data. In Proc. of the ACM SIGCOMM MineNet Workshop, pages 159--164, Philadelphia, PA, August 2005. Google ScholarDigital Library
Julian Kirsch, Christian Grothoff, Monika Ermert, Jacob Appelbaum, Laura Poitras, and Henrik Moltke. NSA/GCHQ: The HACIENDA program for internet colonization. C'T Magazine, Aug.15 2014.Google Scholar
Matthew Lentz, Dave Levin, Jason Castonguay, Neil Spring, and Bobby Bhattacharjee. D-mystifying the D-root address change. In Proc. of the ACM Internet Measurement Conference, pages 57--62, Barcelona, Spain, October 2013. ACM. Google ScholarDigital Library
Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Márk Félegyházi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, and Stefan Savage. Click trajectories: End-to-end analysis of the spam value chain. In Proc. of the IEEE Symposium on Security and Privacy, pages 431--446, Oakland, CA, USA, May 2011. IEEE. Google ScholarDigital Library
Zhichun Li, Anup Goyal, Yan Chen, and Aleksandar Kuzmanovic. Measurement and diagnosis of address misconfigured P2P traffic. In INFOCOM'10 , pages 1--9, San Diego, CA, March 2010. Google ScholarDigital Library
MaxMind LLC. GeoIP. http://www.maxmind.com/geoip .Google Scholar
Damon McCoy, Kevin Bauer, Dirk Grunwald, Tadayoshi Kohno, and Douglas Sicker. Shining light in dark places: Understanding the tor network. In Proc. of the IEEE International Workshop on Performance Evaluation of Tracking and Surveillance (PETS), pages 63--76, Leuven, Belgium, July 2008. Google ScholarDigital Library
Jon Oberheide, Manish Karir, Z. Morley Mao, and Farnam Jahanian. Characterizing dark DNS behavior. In Proc. of the 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), pages 140--156, Lucerne, Switzerland, July 2007. Springer. Google ScholarDigital Library
Robert O'Harrow, Jr. Cyber search engine Shodan exposes industrial control systems to new risks. The Washington Post, June 3 2012.Google Scholar
OpenDNS. DNSCrypt: Introducing DNSCrypt. web page http://www.opendns.com/about/innovations/dnscrypt/, January 2014.Google Scholar
Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. Characteristics of Internet background radiation. In Proc. of the ACM Internet Measurement Conference, pages 27--40, Sicily, Italy, 2004. Google ScholarDigital Library
Nicole Perlroth. Thought safe, websites find the door ajar. New York Times, page A1, Apr. 9 2014.Google Scholar
Dave Plonka. Flawed routers flood university of wisconsin internet time server. http://pages.cs.wisc.edu/~plonka/netgear-sntp, 2003.Google Scholar
David Plonka and Paul Barford. Context-aware clustering of DNS query traffic. In Proc. of the ACM Internet Measurement Conference, pages 217--229, Vouliagmeni, Greece, October 2008. Google ScholarDigital Library
Niels Provos. A virutal honeypot framework. In Usenix Security Symposium 2004, pages 1--14, San Diego, CA, August 2004. Google ScholarDigital Library
Lin Quan, John Heidemann, and Yuri Pradkin. Trinocular: understanding Internet reliability through adaptive probing. In Proc. of the ACM SIGCOMM Conference, pages 255--266, Hong Kong, China, August 2013. Google ScholarDigital Library
Bernhard Scholkopf and Alexander J. Smola. Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, 2001. Google ScholarDigital Library
Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. On measuring the client-side DNS infrastructure. In Proc. of the ACM Internet Measurement Conference, pages 77--90, Barcelona, Spain, October 2013. Google ScholarDigital Library
Farsight Security. SIE (Security Information Exchange). https://www.farsightsecurity.com/Services/SIE/, 2013.Google Scholar
Shadow server foundation. http://www.shadowserver.org/ .Google Scholar
Stuart Staniford, James A. Hoagland, and Joseph M. McAlerney. Practical automated detection of stealthy portscans. Journal of Comptuer Security, 10(1):105--136, 2002. Google ScholarDigital Library
Ionut Trestian, Supranamaya Ranjan, Aleksandar Kuzmanovi, and Antonio Nucci. Unconstrained endpoint profiling (Googling the Internet). In Proc. of the ACM SIGCOMM Conference, pages 279--290, Seattle, WA, Aug 2008. Google ScholarDigital Library
USC/LANDER project. Internet address census, datasets internet_address_census it63w, it63c, it63j, it63g, it64w, it64c, it64j, it64g. web page http://www.isi.edu/ant/lander, January (it63) and April (it64) 2015.Google Scholar
Paul Vixie. Passive DNS collection and analysis, the 'dnstap' approach. Keynote talk at FloCon, January 2014.Google Scholar
Florian Weimer. Passive DNS replication. In Proc. of the 17th Forum of Incident Response and Security Teams (FIRST), Singapore, April 2005.Google Scholar
Duane Wessels and Marina Fomenkov. Wow, that's a lot of packets. In Proc. of the Passive and Active Measurement Workshop, La Jolla, CA, April 2003.Google Scholar
Wikipedia. Gini coefficient. http://en.wikipedia.org/wiki/Gini_coefficient, 2015.Google Scholar
Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, and Geoff Houston. Internet background radiation revisited. In Proc. of the 10th ACM Internet Measurement Conference, pages 62--73, Melbourne, Australia, November 2010. ACM. Google ScholarDigital Library
Sandeep Yadav, Ashwath Kumar, Krishna Reddy, A.L. Narasimha Reddy, and Supranamaya Ranjan. Detecting algorithmically generated malicious domain names. In Proc. of the ACM Internet Measurement Conference, pages 48--61, Melbourne, Australia, November 2010. Google ScholarDigital Library
Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. Passive monitoring of DNS anomalies. In Proc. of the 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), pages 129--139, Lucerne, Switzerland, 2007. Google ScholarDigital Library
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. Connection-oriented DNS to improve privacy and security. In Proc. of the 36th IEEE Symposium on Security and Privacy, pages 171--186, San Jose, Californa, USA, May 2015. IEEE.Google ScholarDigital Library

Index Terms

Detecting Malicious Activity with DNS Backscatter
1. Networks
  1. Network protocols
    1. Transport protocols
  2. Network types
    1. Public Internet

Recommendations

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

In this paper, we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in ...
Read More
Detecting Malicious Activity With DNS Backscatter Over Time

Network-wide activity is when one computer the originator touches many others the targets. Motives for activity may be benign mailing lists, content-delivery networks, and research scanning, malicious spammers and scanners for security vulnerabilities, ...
Read More
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IMC '15: Proceedings of the 2015 Internet Measurement Conference
October 2015
550 pages
ISBN:9781450338486
DOI:10.1145/2815675
General Chairs:
Kenjiro Cho
IIJ/Keio University
,
Kensuke Fukuda
NII/Sokendai
,
Program Chairs:
Vivek Pai
Google
,
Neil Spring
University of Maryland
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 October 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dns
domain name system
internet
measurement
network activity
scanning
Qualifiers
- research-article
Conference

Acceptance Rates
IMC '15 Paper Acceptance Rate31of96submissions,32%Overall Acceptance Rate277of1,083submissions,26%
More
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 581
  Total Downloads
- Downloads (Last 12 months)211
- Downloads (Last 6 weeks)24
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Detecting Malicious Activity with DNS Backscatter

IMC '15: Proceedings of the 2015 Internet Measurement Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

Detecting Malicious Activity With DNS Backscatter Over Time

DGA-based malware detection using DNS traffic analysis