Skip to main content
Springer Nature Link
Log in

Characterizing Dark DNS Behavior

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

  • 1198 Accesses

Abstract

Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of reverse DNS authority when deploying darknet sensors to prevent attackers from easily evading monitored darknets. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Mockapetris, P.: RFC 1034: Domain names: concepts and facilities (November 1987), ftp://ftp.internic.net/rfc/rfc1034.txt

  2. Mockapetris, P.: RFC 1035: Domain names: implementation and specification (November 1987), ftp://ftp.internic.net/rfc/rfc1035.txt

  3. Bellovin, S.: Using the domain name system for system break-ins. In: Proceedings of the 5th USENIX UNIX Security Symposium (1995)

    Google Scholar 

  4. Samwalla, R., Sharma, R., Keshav, S.: Discovering Internet Topology (unpublished manuscript)

    Google Scholar 

  5. Silveira, A.: TXDNS: an aggressive multithreaded DNS digger, http://www.txdns.net/

  6. Ishibashi, K., Toyono, T., Toyama, K., Ishino, M.: Detecting mass-mailing worm infected hosts by mining DNS traffic data. In: Proceedings of the Special Interest Group on Data Communications (SIGCOMM) (2005)

    Google Scholar 

  7. Kristoff, J.: Botnets, detection and mitigation: DNS-based techniques. NU Security Day (2005)

    Google Scholar 

  8. Schonewille, A., van Helmond, D.-J.: The Domain Name Service as an IDS: How DNS can be used for detecting and monitoring badware in a network (February 2006), http://staff.science.uva.nl/delaat/snb-2005-2006/p12/report.pdf

  9. Whyte, D., Kranakis, E., Van Oorschot, P.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of the Network and Distributed Systems Symposium (NDSS) (2005)

    Google Scholar 

  10. Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet Sensors with Probe Response Attacks. In: Proceedings of Usenix Security Symposium (2005)

    Google Scholar 

  11. Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of Usenix Security Symposium (2005)

    Google Scholar 

  12. Rajab, M., Monrose, F., Terzis, A.: Fast and Evasive Attacks: Highlighting the Challenges Ahead. In: Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2006)

    Google Scholar 

  13. Oberheide, J., Karir, M.: Honeyd Detection via Packet Fragmentation. Technical report, Merit Networks Inc. (2006)

    Google Scholar 

  14. Sinha, S., Bailey, M., Jahanian, F.: Shedding Light on the Configuration of Dark Addresses. In: Proceedings of NDSS (2007)

    Google Scholar 

  15. Brownlee, N.: DNS Root/gTLD Performance Measurements. IETF Meeting (2001), http://www.caida.org/publications/presentations/ietf0112/

  16. Nemeth, E.: DNS Damage - Measurements at a Root Server. IETF Meeting (2001), http://www.caida.org/publications/presentations/ietf0112/

  17. Wessels, D., Fomenkov, M.: Wow, That’s a Lot of Packets. In: Proceedings of Passive and Active Measurement Workshop (September 2003)

    Google Scholar 

  18. Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and the Effectiveness of Caching. In: Proc. ACM SIGCOMM Internet Measurement Workshop (2001)

    Google Scholar 

  19. Gummadi, K.P., Saroiu, S., Gribble, S.D.: King: Estimating Latency between Arbitrary Internet End Hosts. In: Proceedings of SIGCOMM IMW (2002)

    Google Scholar 

  20. Internet Systems Consortium. ISC Internet Domain Survey Background (2006), http://www.isc.org/index.pl

  21. Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Electrical Engineering and Computer Science, University of Michigan, Ann Arbor MI 48105,  

    Jon Oberheide & Z. Morley Mao

  2. Networking R&D, Merit Network Inc, Ann Arbor MI 48105,  

    Manish Karir

Authors
  1. Jon Oberheide
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manish Karir
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Z. Morley Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Oberheide, J., Karir, M., Mao, Z.M. (2007). Characterizing Dark DNS Behavior. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73614-1_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73613-4

  • Online ISBN: 978-3-540-73614-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics