Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Research in Attacks, Intrusions, and Defenses

RAID 2016: Research in Attacks, Intrusions, and Defenses pp 188–208Cite as

Enabling Network Security Through Active DNS Datasets

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

Most modern cyber crime leverages the Domain Name System (DNS) to attain high levels of network agility and make detection of Internet abuse challenging. The majority of malware, which represent a key component of illicit Internet operations, are programmed to locate the IP address of their command-and-control (C&C) server through DNS lookups. To make the malicious infrastructure both agile and resilient, malware authors often use sophisticated communication methods that utilize DNS (i.e., domain generation algorithms) for their campaigns. In general, Internet miscreants make extensive use of short-lived disposable domains to promote a large variety of threats and support their criminal network operations.

To effectively combat Internet abuse, the security community needs access to freely available and open datasets. Such datasets will enable the development of new algorithms that can enable the early detection, tracking, and overall lifetime of modern Internet threats. To that end, we have created a system, Thales, that actively queries and collects records for massive amounts of domain names from various seeds. These seeds are collected from multiple public sources and, therefore, free of privacy concerns. The results of this effort will be opened and made freely available to the research community. With three case studies we demonstrate the detection merit that the collected active DNS datasets contain. We show that (i) more than 75 % of the domain names in public black lists (PBLs) appear in our datasets several weeks (and some cases months) in advance, (ii) existing DNS research can be implemented using only active DNS, and (iii) malicious campaigns can be identified with the signal provided by active DNS.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    In order to not violate the double blind nature of the submission, we kept the web site in the simplest possible format.

  2. 2.

    We used the Unbound (https://www.unbound.net/) recursive software in every LXC container.

  3. 3.

    For example, https://www.farsightsecurity.com/.

  4. 4.

    http://www1.cnnic.cn/ScientificResearch/LeadingEdge/fymly1/.

References

  1. I.T. Mate List (2016). http://vurldissect.co.uk/daily.asp/

  2. Abuse.ch domain blacklist (2016). http://www.abuse.ch/

  3. Actionable analytics (2016). https://www.alexa.com

  4. Common Crawl (2016). https://commoncrawl.org/

  5. Domain Graveyard (2016). http://domaingraveyard.com/

  6. Hphosts feed (2016). http://hosts-file.net/?s=Download

  7. LinuxContainers.org (2016). http://hosts-file.net/?s=Download

  8. Malc0de Database (2016). http://malc0de.com/bl/BOOT

  9. Malware Domain List (2016). https://www.malwaredomainlist.com/

  10. Sagadc.org list (2016). http://dns-bh.sagadc.org/

  11. SANS ISC Feeds (2016). https://isc.sans.edu/feeds/

  12. Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains in the upper DNS hierarchy. In: Proceedings of the 20th USENIX Conference on Security (USENIX Security), August 2011

    Google Scholar 

  14. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, Berkeley, CA, USA, pp. 24–24. USENIX Association (2012)

    Google Scholar 

  15. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of NDSS (2011)

    Google Scholar 

  16. Chen, Y., Antonakakis, M., Perdisci, R., Nadji, Y., Dagon, D., Lee, W.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 598–609, June 2014

    Google Scholar 

  17. Coat, B.: Snake in the grass: Python-based malware used for targeted attacks (2014). https://www2.bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks

  18. Cotton, M., Vegoda, L.: Special Use IPv4 Addresses. RFC 5735 (Best Current Practice), Obsoleted by RFC 6890, updated by RFC 6598, January 2010

    Google Scholar 

  19. Daigle, L.: WHOIS Protocol Specification. RFC 3912 (Draft Standard), September 2004

    Google Scholar 

  20. Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by Internet-wide scanning. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security, October 2015

    Google Scholar 

  21. Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits, Emergent Threats (2011). Observation of strains. Infect Dis Ther. 3(1), 35–43: Botnets, Spyware, Worms, and More (LEET), April 2010

    Google Scholar 

  22. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)

    Google Scholar 

  23. Ishibashi, K., Toyono, T., Hasegawa, H., Yoshino, H.: Extending black domain name list by using co-occurrence relation between DNS queries. IEICE Trans. Commun. 95(3), 794–802 (2012)

    Google Scholar 

  24. Krishnan, S., Monrose, F.: An empirical study of the performance, security and privacy implications of domain name prefetching. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems Networks (DSN), pp. 61–72, June 2011

    Google Scholar 

  25. Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: 37th IEEE International Symposium on Security and Privacy, May 2016

    Google Scholar 

  26. Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), June 2009

    Google Scholar 

  27. Mandiant. APT1. Technical report (2013). http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

  28. Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Connected colors: unveiling the structure of criminal networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 390–410. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  29. Plonka, D., Barford, P.: Context-aware clustering of DNS query traffic. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 217–230. ACM, New York (2008)

    Google Scholar 

  30. Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: Phishnet: predictive blacklisting to detect phishing attacks. In: Proceedings of IEEE INFOCOM, 2010, pp. 1–5. IEEE (2010)

    Google Scholar 

  31. Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 403–414, June 2015

    Google Scholar 

  32. Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., Lear, E.: Address Allocation for Private Internets. RFC 1918 (Best Current Practice), Updated by RFC 6761, February 1996

    Google Scholar 

  33. Minerva Labs & ClearSky Cyber Security: CopyKittens Attack Group (2015). https://eforensicsmag.com/copykittens/

  34. Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., Azinger, M.: IANA-Reserved IPv4 Prefix for Shared Address Space. RFC 6598 (Best Current Practice), April 2012

    Google Scholar 

  35. Weimer, F.: Passive DNS replication. In: Proceedings of the 17th First Conference on Computer Security Incident Handling, June 2005

    Google Scholar 

  36. Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

Download references

Acknowledgment

This material is based upon work supported in part by the US Department of Commerce grant no. 2106DEK, National Science Foundation (NSF) grant no. 2106DGX and Sandia National Laboratories grant no. 2106DMU. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce, National Science Foundation, nor Sandia National Laboratories.

Author information

Authors and Affiliations

  1. School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, USA

    Athanasios Kountouras, David Dagon & Manos Antonakakis

  2. School of Computer Science, Georgia Institute of Technology, Atlanta, USA

    Panagiotis Kintis, Chaz Lever, Yizheng Chen & Yacin Nadji

  3. Neustar, Sterling, USA

    Rodney Joffe

Authors
  1. Athanasios Kountouras
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Panagiotis Kintis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chaz Lever
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yizheng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yacin Nadji
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. David Dagon
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Manos Antonakakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Rodney Joffe
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Athanasios Kountouras .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Kountouras, A. et al. (2016). Enabling Network Security Through Active DNS Datasets. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation