Abstract
We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mockapetris, P.V., Dunlap, K.J.: Development of the Domain Name System. In: ACM Symphosium proceedings on Communications architectures and protocols (SIGCOMM 1988), vol. 18(4) (1998)
RUS-CERT: Passive DNS replication, http://cert.uni-stuttgart.de/stats/dns-replication.php
Schonewille, A., Helmond, D.v.: The Domain Name Service as an IDS. Research Project for the Master System- and Network Engineering at the University of Amsterdam (February 2006)
Kristoff, J.: DNSWatch, http://aharp.ittns.northwestern.edu/software/dnswatch
Elton, N., Keel, M.: A Discussion of Bot Networks. EDUCAUSE 2005 (April 2005), http://www.educause.edu/ir/library/pdf/SPC0568.pdf
TCPDUMP/libpcap public repository, http://www.tcpdump.org
Mockapetris, P.: Domain Names Implementation and Specification. RFC 1035 (November 1987)
Tcpdpriv – A program for eliminating confidential information from packets collected on a network interface (October 2005), http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html
Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and the Effectiveness of Caching. ACM Transactions on Networking 10(5), 589–603 (2002)
Wong, M.: Sender Authentication What To Do. A Messaging Anti-Abuse Working Group White Paper (November 2004), http://www.openspf.org/whitepaper.pdf
Sequitur IPS: Domain name disputes, cybersquatting and UDRP cases. http://www.sequitur-ips.com/domain-name-disputes/library.html
Gavron, E.: A Security Problem and Proposed Correction With Widely Deployed DNS Software. RFC 1535 (October 1993)
Wang, Y., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting. Microsoft Research Technical Report (to be submitted to the 2nd Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06)) http://research.microsoft.com/URLTracer
Evron, G., Blog, S.: Looking behind the smoke screen of the Internet: DNS recursive attacks, spamvertised domains, phishing, botnet C&Cs, International Infrastructure and you, http://blogs.securiteam.com/index.php/archives/298
Daigle, L.: WHOIS: Protocol Specification. RFC 3912 (September 2004)
SURBL Spam URI Realtime Blocklists, http://www.surbl.org
Weimer, F.: Passive DNS Replication. FIRST 2005 (April 2005)
Internet Engineering Task Force: Requirements for Internet Hosts Application and Support. RFC 1123 (October 1989)
Vixie, P.: Extension Mechanisms for DNS (EDNS0). RFC 2671 (August 1999)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zdrnja, B., Brownlee, N., Wessels, D. (2007). Passive Monitoring of DNS Anomalies. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-73614-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73613-4
Online ISBN: 978-3-540-73614-1
eBook Packages: Computer ScienceComputer Science (R0)