The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.
This is the first publication for this project. A poster submission to SIGCOMM 2017. Clicking the image will show the full resolution poster. Clicking here will take you to the poster abstract. Below are the details of the publication.
|Title||TIDE: Threat Identification Using Active DNS Measurements|
|Authors||Anna Sperotto, Olivier van der Toorn, Roland van Rijswijk-Deij|
|Conference||Proceedings of the SIGCOMM Posters and Demos|