> ------------------------------
>
> Message: 4
> Date: Wed, 22 Feb 2006 14:25:34 +0200
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> Subject: [Dailydave] The Domain Name Service as an IDS
> To: dailydave <dailydave@xxxxxxxxxxxxxxxxxxxxx>
> Message-ID: <43FC583E.10205@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> "How DNS can be used for detecting and monitoring badware in
> a network"
>
>
>
> This is a very interesting although preliminary work by obviously
> skilled people. I haven't learned much but I am extremely
> happy others
> work on this than the people I already know! They also
> weren't too shy
> with credit, mentioning Florian Weimer and his Passive DNS project
> already at the abstract (quoted below). They even mention me for some
> reason.
>
> Great paper guys!
>
> Moving past Passive DNS Replication and blacklisting, they
> discuss what
> so far has been done for years using dnstop, and help us take
> it to the
> next level of DNS monitoring.
>
> Someone should introduce them to Duane Wessels' (from ISC OARC)
> follow-up dnstop project, DSC. :)
>
>
>
> [Duane's lecture on the tool at the 1st DNS-OARC Workshop]
>
> els-dsc.pdf
>
> There has been some other interesting work done in this area
> by our very
> own David Dagon from Georgia Tech:
> [Presentation from the 1st DNS-OARC Workshop] Botnet Detection and
> Response - The Network is the Infection:
>
> [Paper] Modeling Botnet Propagation Using Time Zones:
>
>
> -----
> Abstract
> SURFnet is looking for technologies to expand the ways they
> can detect
> network traffic anomalies like botnets. Since bots started
> using domain
> names for connection with their controller, tracking and
> removing them
> has become a hard task. This research is a first glance at
> the usability
> of DNS traffic and logs for detection of this malicious network
> activity. Detection of bots is possible by DNS information
> gathered from
> the network by placing counters and triggers on specific
> events in the
> data analysis. In combination with NetFlow information and IP
> addresses
> of known infected systems, detection of bots of network
> anomalies can be
> made visible. Also the behavior of a bot can be documented and
> additional information can be gathering about the bot. Using
> DNS data as
> a supplement to the existing detection systems can give more
> insight in
> the suspicious network traffic. With some future research, this
> information can be used to compile a case against particular types of
> bot or spyware and help dismantling a remote controlled
> infrastructure
> as a whole.
>
> Note
> We started this research project with the question if the Passive DNS
> Software of Florian Weimer was useful for bot detection. We
> immediately
> found out that the sensor of the Passive DNS Software strips
> the source
> address from the collected data for privacy reasons, making this
> software not useful at all for our purpose. We deviated from the
> Research Plan (Plan van Aanpak) and took a more general
> approach to the
> question; ”Is gathered DNS traffic usable for badware detection”.
> -----
>
> Gadi.
>
> --
>
>
> "Out of the box is where I live".
> -- Cara "Starbuck" Thrace, Battlestar Galactica.
>
>
> ------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
>
>
>
> End of Dailydave Digest, Vol 7, Issue 23
> ****************************************
>
