講演抄録/キーワード |
講演名 |
2013-03-25 13:00
Finding Malicious Authoritative DNS Servers ○Yin Minn Pa Pa・Daisuke Makita・Katsunari Yoshioka・Tsutomu Matsumoto(Yokohama National Univ.) ICSS2012-61 |
抄録 |
(和) |
This study proposes an approach to find authoritative DNS servers that are heavily involved with
malicious online activities. For example, in order to construct a fast flux network, attackers need to have full control on
authoritative DNS servers so that he or she can abuse on their round robin feature. These DNS servers may have been setup by
attackers themselves or they may be legitimate servers compromised and misused by the attackers. Either way, we believe that
focusing on such maliciously used authoritative DNS servers can be a new aspect for understanding the underlying malicious
online activities. In this study, we consider four features, fraction of blacklisted domains, Server Fail response history, TTL of
DNS server’s domain, and domain flux size, to evaluate an authoritative DNS server. Using these features, we evaluate 74,830
authoritative DNS servers of domains observed at a cache DNS server. As a result, we determine 31, 15, and 85 servers as
malicious, respectively using fraction of blacklisted domains, TTL of DNS server’s domain, and domain flux. We confirm that
21% of the detected servers are true positive according to several published security reports exhibiting the possibility of these
features as metric to find malicious DNS servers. |
(英) |
This study proposes an approach to find authoritative DNS servers that are heavily involved with
malicious online activities. For example, in order to construct a fast flux network, attackers need to have full control on
authoritative DNS servers so that he or she can abuse on their round robin feature. These DNS servers may have been setup by
attackers themselves or they may be legitimate servers compromised and misused by the attackers. Either way, we believe that
focusing on such maliciously used authoritative DNS servers can be a new aspect for understanding the underlying malicious
online activities. In this study, we consider four features, fraction of blacklisted domains, Server Fail response history, TTL of
DNS server’s domain, and domain flux size, to evaluate an authoritative DNS server. Using these features, we evaluate 74,830
authoritative DNS servers of domains observed at a cache DNS server. As a result, we determine 31, 15, and 85 servers as
malicious, respectively using fraction of blacklisted domains, TTL of DNS server’s domain, and domain flux. We confirm that
21% of the detected servers are true positive according to several published security reports exhibiting the possibility of these
features as metric to find malicious DNS servers. |
キーワード |
(和) |
Malicious Authoritative DNS Server / / / / / / / |
(英) |
Malicious Authoritative DNS Server / / / / / / / |
文献情報 |
信学技報, vol. 112, no. 499, ICSS2012-61, pp. 25-30, 2013年3月. |
資料番号 |
ICSS2012-61 |
発行日 |
2013-03-18 (ICSS) |
ISSN |
Print edition: ISSN 0913-5685 Online edition: ISSN 2432-6380 |
著作権に ついて |
技術研究報告に掲載された論文の著作権は電子情報通信学会に帰属します.(許諾番号:10GA0019/12GB0052/13GB0056/17GB0034/18GB0034) |
PDFダウンロード |
ICSS2012-61 |
|