Threat Identification Using Active DNS Measurements

Threat Identification Using Active DNS Measurements

The DNS is a core service for the Internet. Most uses of the DNS are benign, but some are malicious. Attackers often use a DNS do- main to enable an attack (e.g. DDoS attacks). Detection of these attacks often happens passively, but this leads to a reactive detection of attacks. However, registering and configuring a domain takes time. We want to pro-actively identify malicious domains during this time. Identifying ma- licious domains before they are used allows to pre-emptively stop…

Read More Read More

Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive…

Read More Read More

Best Paper Award at NOMS 2018

Best Paper Award at NOMS 2018

TIDE was present at  the Network Operations and  Management Symposion (NOMS 2018) conference in Taipei, Taiwan. Olivier was there to present “Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements”. NOMS 2018 was held in Taipei, Taiwan, from the 23rd till the 27th of April. NOMS has been held in every even-numbered year since 1988. This was the 30th anniversary of NOMS. Our work was very well received at the conference. So well, in fact, that they gave…

Read More Read More

TIDE goes to FOSDEM (video available)

TIDE goes to FOSDEM (video available)

FOSDEM is a yearly event in the last weekend of Januari (or the first weekend of Februari). FOSDEM stands for Free Open-Source Developer Europe Meeting. At the event state of the art open-source software is discussed, presented and enjoyed. This year there is a DNS devroom. On sunday at 11:35 Olivier will hold a talk there titled ‘Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains’. Since the event is entirely free, be sure to visit! Update:…

Read More Read More

TIDE won first prize!

TIDE won first prize!

TIDE has won the CTIT Symposium Ph.D. “1 minute madness” event!!! During the CTIT Symposium 2017 “Internet of Things is ready. What about us?” there was the Ph.D. “1 minute madness” event. All of the winners from the previous round got the opportunity to present their work again in a single minute. It was quite a challenge to compress all you want to say into a single minute. However, the feedback I got after my presentation was great. I got the audience…

Read More Read More

Snowshoe Spam Detection Through DNS Measurements

Snowshoe Spam Detection Through DNS Measurements

  Snowshoe Spam   We started the TIDE project with Snowshoe Spam domain detection. But what is Snowshoe Spam? In Snowshoe Spam the spammer tries to spread the sending load over numerous hosts, and thus reducing the amount of spam each hosts sends. This makes each host separate hard to detect. It means that the spammer is less likely to end up on spam reputation lists (blacklists) and is therefore able to continue spamming for longer.

CTIT: Your Research, a poster presentation to kick-off this project

CTIT: Your Research, a poster presentation to kick-off this project

The CTIT’s annual event “Your Research @ CTIT” aims to bring together PhD/Postdoc researchers from all the 21 CTIT research groups from the University of Twente. Researchers will have the opportunity here to present their ongoing research project to their CTIT colleagues. The event this year will be held on 3 October 2017 from 15:00 till 18:00 at the Ravelijn Atrium. TIDE will be presenting the poster originally made for SIGcomm (see this post for details).

TIDE: Threat Identification Using Active DNS Measurements, poster submission to SIGCOMM 2017

TIDE: Threat Identification Using Active DNS Measurements, poster submission to SIGCOMM 2017

The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up…

Read More Read More