Skip to main content
SpringerLink
Log in

Efficient Malicious Packet Capture Through Advanced DNS Sinkhole

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Among the current botnet countermeasures, DNS sinkhole is known as the best practice in the world. This technique prevents a cyberattack by cutting off the communication between a command and control (C&C) server and zombie PCs (malicious bots). In particular, the characteristics of malicious bots and suspicious URLs can be analyzed, using the malicious packets collected from a DNS Sinkhole system. For this, technology advancement is required to analyze the behavior of malicious bots, which has become more intelligent through analysis on the operation and current situations of conventional DNS sinkholes. Therefore, this study attempted to analyze and improve the limitations of a current DNS sinkhole packet collection program (DNS sinkhole server program). After the unification and advancement of the DNS sinkhole server programs which have been developed and operated for different purposes, the ratio of malicious packet capture improved five times, compared to a conventional system. In addition, even though a conventional system has captured only one malicious packet per source IP, the proposed system has made it possible to collect more information on malicious packets by collecting an average of 5.3 malicious packets per source IP.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Lim, C. T. (2008). Botnets trend technology and response. IT Standard and Test TTA Journal, 118, 58–65.

    Google Scholar 

  2. Asri, S., & Pranggono, B. (2015). Impact of distributed denial-of-service attack on advanced metering infrastructure. Journal of Wireless Personal Communications, 83(3), 2211–2223.

    Article  Google Scholar 

  3. Verma, K., Hasbullah, H., & Kumar, A. (2013). Prevention of DoS attacks in VANET. Journal of Wireless Personal Communications, 73(1), 95–126.

    Article  Google Scholar 

  4. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M. (2009). A survey of botnet technology and defenses. In Proceedings of Cybersecurity Applications and Technology Conference For Homeland Security (CATCH) (pp. 299–304).

  5. Kim, J., Kim, T. H., Lee, S. H., Park, Y. M., Song, J. H., Kang, T. H., & Lee B. Y. (2010). A study on trend, evolution and next-generation solutions of DDoS attacks. Reaserch Report. http://wwww.kisa.or.kr

  6. Kim, Y. B., & Youm, H. Y. (2008). A new bot disinfection method based on DNS Sinkhole. Journal of KIISC, 18(6A), 107–114.

    Google Scholar 

  7. Kim, Y. B., Lee, Choi, J. S., & Youm, H. Y. (2009). Preventing botnet damage technique and it’s effect using bot DNS Sinkhole. Journal of KISS(C): Computing Practices, 15(1), 47–55.

    Google Scholar 

  8. Choi, S.-S., Chun, M.-J., Lee, Y.-S., Lee, H.-R. (2010). A Practical methodology and framework for comprehensive incident handling focused on bot response. Future Generation Information Technology, Volume 6485 of the series Lecture Notes in Computer Science (pp. 481–492).

  9. Lee, H.-G., Choi, S.-S., Lee, Y.-S., & Park, H.-S. (2010). Enhanced Sinkhole system by improving post-processing mechanism. Future Generation Information Technology, Volume 6485 of the series Lecture Notes in Computer Science (pp. 469–480).

  10. Kim, K.-I., Choi, S.-S., Park, H.-S., Ko, S.-J., & Song, J.-S. (2014). A study on collection and analysis method of malicious URLs based on Darknet traffic for advanced security monitoring and response. Journal of KIISC, 24(6), 1185–1195.

    Google Scholar 

  11. Kim, H.S., Choi, S.-S., & Song, J. (2013). A methodology for multipurpose DNS Sinkhole analyzing double bounce emails. In Proceedings Of ICONIC 2013, LNCS (vol. 8226, pp. 609–616).

  12. Yang, S., Luo, H., Qin, Y., & Zhang, H. (2009). Design and evaluation of DNS as location manager for HIP. Journal of Wireless Personal Communications, 48(4), 605–619.

    Article  Google Scholar 

  13. Saravanan, K., & Senthilkumar, A. (2015). Security enhancement in distributed networks using link-based mapping scheme for network intrusion detection with enhanced bloom filter. Journal of Wireless Personal Communications, 84(2), 821–839.

    Article  Google Scholar 

Download references

Acknowledgments

This research was supported by Building Security Service of Advanced KREONET Based funded by Korea Institute of Science and Technology Information.

Author information

Authors and Affiliations

  1. Department of Advanced KREONET Security Service, KISTI, 245 Daehangno, Yuseong, Daejeon, Korea

    Hyun Mi Jung, Haeng Gon Lee & Jang Won Choi

Authors
  1. Hyun Mi Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haeng Gon Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jang Won Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jang Won Choi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jung, H.M., Lee, H.G. & Choi, J.W. Efficient Malicious Packet Capture Through Advanced DNS Sinkhole. Wireless Pers Commun 93, 21–34 (2017). https://doi.org/10.1007/s11277-016-3443-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-016-3443-1

Keywords

Search

Navigation