Characterizing Dark DNS Behavior

Authors:
Jon Oberheide;Manish Karir;Z. Morley Mao
Affiliations:
Electrical Engineering and Computer Science, University of Michigan, Ann Arbor MI 48105,;Networking R&D, Merit Network Inc, Ann Arbor MI 48105,;Electrical Engineering and Computer Science, University of Michigan, Ann Arbor MI 48105,
Venue:
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2007

Citing 8
Cited 2

DNS performance and the effectiveness of caching

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
King: estimating latency between arbitrary internet end hosts

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Detecting mass-mailing worm infected hosts by mining DNS traffic data

Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Mapping internet sensors with probe response attacks

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Vulnerabilities of passive internet threat monitors

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using the domain name system for system break-ins

SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Fast and evasive attacks: highlighting the challenges ahead

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Botnets: A survey

Computer Networks: The International Journal of Computer and Telecommunications Networking
Resolvers Revealed: Characterizing DNS Resolvers and their Clients

ACM Transactions on Internet Technology (TOIT)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of reverse DNS authority when deploying darknet sensors to prevent attackers from easily evading monitored darknets. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.