The Domain Name Service as an IDS

Gadi Evron ge at
Wed Feb 22 12:23:04 UTC 2006

"How DNS can be used for detecting and monitoring badware in a network"

This is a very interesting although preliminary work by obviously 
skilled people. I haven't learned much but I am extremely happy others 
work on this than the people I already know! They also weren't too shy 
with credit, mentioning Florian Weimer and his Passive DNS project 
already at the abstract (quoted below). They even mention me for some 

Great paper guys!

Moving past Passive DNS Replication and blacklisting, they discuss what 
so far has been done for years using dnstop, and help us take it to the 
next level of DNS monitoring.

Someone should introduce them to Duane Wessels' (from ISC OARC) 
follow-up dnstop project, DSC. :)
[Duane's lecture on the tool at the 1st DNS-OARC Workshop]

There has been some other interesting work done in this area by our very 
own David Dagon from Georgia Tech:
[Presentation from the 1st DNS-OARC Workshop] Botnet Detection and 
Response - The Network is the Infection:
[Paper] Modeling Botnet Propagation Using Time Zones:

SURFnet is looking for technologies to expand the ways they can detect 
network traffic anomalies like botnets. Since bots started using domain 
names for connection with their controller, tracking and removing them 
has become a hard task. This research is a first glance at the usability 
of DNS traffic and logs for detection of this malicious network 
activity. Detection of bots is possible by DNS information gathered from 
the network by placing counters and triggers on specific events in the 
data analysis. In combination with NetFlow information and IP addresses 
of known infected systems, detection of bots of network anomalies can be 
made visible. Also the behavior of a bot can be documented and 
additional information can be gathering about the bot. Using DNS data as 
a supplement to the existing detection systems can give more insight in
the suspicious network traffic. With some future research, this 
information can be used to compile a case against particular types of 
bot or spyware and help dismantling a remote controlled infrastructure 
as a whole.

We started this research project with the question if the Passive DNS 
Software of Florian Weimer was useful for bot detection. We immediately 
found out that the sensor of the Passive DNS Software strips the source 
address from the collected data for privacy reasons, making this 
software not useful at all for our purpose. We deviated from the 
Research Plan (Plan van Aanpak) and took a more general approach to the 
question; ”Is gathered DNS traffic usable for badware detection”.



"Out of the box is where I live".
	-- Cara "Starbuck" Thrace, Battlestar Galactica.

More information about the NANOG mailing list