Enabling Network Security Through Active DNS Datasets

  • Athanasios Kountouras
  • Panagiotis Kintis
  • Chaz Lever
  • Yizheng Chen
  • Yacin Nadji
  • David Dagon
  • Manos Antonakakis
  • Rodney Joffe
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)

Abstract

Most modern cyber crime leverages the Domain Name System (DNS) to attain high levels of network agility and make detection of Internet abuse challenging. The majority of malware, which represent a key component of illicit Internet operations, are programmed to locate the IP address of their command-and-control (C&C) server through DNS lookups. To make the malicious infrastructure both agile and resilient, malware authors often use sophisticated communication methods that utilize DNS (i.e., domain generation algorithms) for their campaigns. In general, Internet miscreants make extensive use of short-lived disposable domains to promote a large variety of threats and support their criminal network operations.

To effectively combat Internet abuse, the security community needs access to freely available and open datasets. Such datasets will enable the development of new algorithms that can enable the early detection, tracking, and overall lifetime of modern Internet threats. To that end, we have created a system, Thales, that actively queries and collects records for massive amounts of domain names from various seeds. These seeds are collected from multiple public sources and, therefore, free of privacy concerns. The results of this effort will be opened and made freely available to the research community. With three case studies we demonstrate the detection merit that the collected active DNS datasets contain. We show that (i) more than 75 % of the domain names in public black lists (PBLs) appear in our datasets several weeks (and some cases months) in advance, (ii) existing DNS research can be implemented using only active DNS, and (iii) malicious campaigns can be identified with the signal provided by active DNS.

References

  1. 1.
    I.T. Mate List (2016). http://vurldissect.co.uk/daily.asp/
  2. 2.
    Abuse.ch domain blacklist (2016). http://www.abuse.ch/
  3. 3.
    Actionable analytics (2016). https://www.alexa.com
  4. 4.
    Common Crawl (2016). https://commoncrawl.org/
  5. 5.
    Domain Graveyard (2016). http://domaingraveyard.com/
  6. 6.
    Hphosts feed (2016). http://hosts-file.net/?s=Download
  7. 7.
    LinuxContainers.org (2016). http://hosts-file.net/?s=Download
  8. 8.
    Malc0de Database (2016). http://malc0de.com/bl/BOOT
  9. 9.
    Malware Domain List (2016). https://www.malwaredomainlist.com/
  10. 10.
    Sagadc.org list (2016). http://dns-bh.sagadc.org/
  11. 11.
    SANS ISC Feeds (2016). https://isc.sans.edu/feeds/
  12. 12.
    Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A centralized monitoring infrastructure for improving DNS security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains in the upper DNS hierarchy. In: Proceedings of the 20th USENIX Conference on Security (USENIX Security), August 2011Google Scholar
  14. 14.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, Berkeley, CA, USA, pp. 24–24. USENIX Association (2012)Google Scholar
  15. 15.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of NDSS (2011)Google Scholar
  16. 16.
    Chen, Y., Antonakakis, M., Perdisci, R., Nadji, Y., Dagon, D., Lee, W.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 598–609, June 2014Google Scholar
  17. 17.
    Coat, B.: Snake in the grass: Python-based malware used for targeted attacks (2014). https://www2.bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks
  18. 18.
    Cotton, M., Vegoda, L.: Special Use IPv4 Addresses. RFC 5735 (Best Current Practice), Obsoleted by RFC 6890, updated by RFC 6598, January 2010Google Scholar
  19. 19.
    Daigle, L.: WHOIS Protocol Specification. RFC 3912 (Draft Standard), September 2004Google Scholar
  20. 20.
    Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by Internet-wide scanning. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security, October 2015Google Scholar
  21. 21.
    Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits, Emergent Threats (2011). Observation of strains. Infect Dis Ther. 3(1), 35–43: Botnets, Spyware, Worms, and More (LEET), April 2010Google Scholar
  22. 22.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)Google Scholar
  23. 23.
    Ishibashi, K., Toyono, T., Hasegawa, H., Yoshino, H.: Extending black domain name list by using co-occurrence relation between DNS queries. IEICE Trans. Commun. 95(3), 794–802 (2012)Google Scholar
  24. 24.
    Krishnan, S., Monrose, F.: An empirical study of the performance, security and privacy implications of domain name prefetching. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems Networks (DSN), pp. 61–72, June 2011Google Scholar
  25. 25.
    Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: 37th IEEE International Symposium on Security and Privacy, May 2016Google Scholar
  26. 26.
    Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), June 2009Google Scholar
  27. 27.
    Mandiant. APT1. Technical report (2013). http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  28. 28.
    Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Connected colors: unveiling the structure of criminal networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 390–410. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  29. 29.
    Plonka, D., Barford, P.: Context-aware clustering of DNS query traffic. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 217–230. ACM, New York (2008)Google Scholar
  30. 30.
    Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: Phishnet: predictive blacklisting to detect phishing attacks. In: Proceedings of IEEE INFOCOM, 2010, pp. 1–5. IEEE (2010)Google Scholar
  31. 31.
    Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 403–414, June 2015Google Scholar
  32. 32.
    Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., Lear, E.: Address Allocation for Private Internets. RFC 1918 (Best Current Practice), Updated by RFC 6761, February 1996Google Scholar
  33. 33.
    Minerva Labs & ClearSky Cyber Security: CopyKittens Attack Group (2015). https://eforensicsmag.com/copykittens/
  34. 34.
    Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., Azinger, M.: IANA-Reserved IPv4 Prefix for Shared Address Space. RFC 6598 (Best Current Practice), April 2012Google Scholar
  35. 35.
    Weimer, F.: Passive DNS replication. In: Proceedings of the 17th First Conference on Computer Security Incident Handling, June 2005Google Scholar
  36. 36.
    Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Athanasios Kountouras
    • 1
  • Panagiotis Kintis
    • 2
  • Chaz Lever
    • 2
  • Yizheng Chen
    • 2
  • Yacin Nadji
    • 2
  • David Dagon
    • 1
  • Manos Antonakakis
    • 1
  • Rodney Joffe
    • 3
  1. 1.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaUSA
  2. 2.School of Computer ScienceGeorgia Institute of TechnologyAtlantaUSA
  3. 3.NeustarSterlingUSA

Personalised recommendations