Abstract
DNS sinkhole is one of the powerful techniques to mitigate attack activities of bots, i.e., zombie PCs, by blocking the communication between C&C server and them. If a zombie PC sends a DNS query to our DNS server for communicating with its C&C server, our DNS server that contains domain blacklist of C&C servers returns IP address of our sinkhole server. As a result, since the zombie PC tries to communicate with our sinkhole server, it is unable to communicate with its C&C server. On the other hand, there are many cyber attacks caused by malicious URLs included in spam emails. Therefore, if we extract malicious URLs from spam emails and apply them into DNS sinkhole system, many of spam based attacks can be blocked. In this paper, we propose a methodology to enhance the capability of DNS sinkhole system by analyzing spam emails. Especially, we use double bounce emails, which do not have any valid sender and recipient addresses, as spam emails and extract malicious URLs from them. Our preliminary experimental results demonstrate that the existing domain blacklist of DNS sinkhole system is not effective. Thus, we design a new method collecting the malicious URLs from double bounce emails and show how new domain blacklist can be generated. With DNS sinkhole system using new domain blacklist, we will be able to early detect and block the latest malicious behaviors on the Internet.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
SANS Institute, Bots & Botnet: An Overview, http://www.sans.org/r-eading_room/whitepapers/malicious/bots-botnet-overview_1299
Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. In: Proc. First Intl. Conf. Forensic Computer Science (2006)
Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proc. IEEE Symp. Security and Privacy (2004)
Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: characterizing Internet scam hosting infrastructure. In: Proc. the USENIX Security Symp. (2007)
SANS Institute, DNS Sinkhole, http://www.sans.org/reading_room/whi-tepapers/dns/dns-sinkhole_33523
Song, J., Inoue, D., Eto, M., Suzuki, M., Hayashi, S., Nakao, K.: A Methodology for Analyzing Overall Flow of Spam-Based Attacks. In: Leung, C.S., Lee, M., Chan, J.H. (eds.) ICONIP 2009, Part II. LNCS, vol. 5864, pp. 556–564. Springer, Heidelberg (2009)
Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical Correlation Analysis Between Scan and Malware Proles Against Zero-day Attacks Based on Darknet Monitoring. IEICE Transactions on Information and Systems E 92D(5), 787–798 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, H., Choi, SS., Song, J. (2013). A Methodology for Multipurpose DNS Sinkhole Analyzing Double Bounce Emails. In: Lee, M., Hirose, A., Hou, ZG., Kil, R.M. (eds) Neural Information Processing. ICONIP 2013. Lecture Notes in Computer Science, vol 8226. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42054-2_76
Download citation
DOI: https://doi.org/10.1007/978-3-642-42054-2_76
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42053-5
Online ISBN: 978-3-642-42054-2
eBook Packages: Computer ScienceComputer Science (R0)