Vincent Arnold

The Domain Name Service as an IDS:
How DNS can be used for detecting and monitoring badware in a network

SURFnet is looking for technologies to expand the ways they can detect network
traffic anomalies like botnets. Since bots started using domain names
for connection with their controller, tracking and removing them has become
a hard task. This research is a first glance at the usability of DNS traffic and
logs for detection of this malicious network activity. Detection of bots is possible
by DNS information gathered from the network by placing counters and
triggers on specific events in the data analysis. In combination with NetFlow
information and IP addresses of known infected systems, detection of bots of
network anomalies can be made visible. Also the behavior of a bot can be documented
and additional information can be gathering about the bot.Using DNS data as a supplement to the existing detection systems can give more insight in the suspicious network traffic. With some future research, this information can
be used to compile a case against particular types of bot or spyware and help
dismantling a remote controlled infrastructure as a whole.

Read the entire report here.

Source: CCCURE

This entry was posted on Friday, June 8th, 2007 at 5:31 pm and is filed under Information Security.