|
|
You are hereHome » NANOG Meeting Presentation Abstract
|
|
NANOG Meeting Presentation Abstract
| Research Forum: Revealing Botnet Membership Using DNSBL Counter-Intelligence | | Meeting: | NANOG38 | |
| Date / Time: | 2006-10-10 10:00am - 10:15am | |
| Room: | St. Louis D-E | |
| Presenters: | Speakers:
Nick Feamster, Georgia Tech UniversityNick Feamster is an assistant professor in the College of Computing at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network security, anonymous communication systems, and adaptive streaming media protocols. His honors include award papers at SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005 conference (fault detection in router configuration), Usenix Security 2002 (circumventing web censorship using Infranet), and Usenix Security 2001 (web cookie analysis).David Dagon, Georgia Tech University. | |
| Abstract: | Botnets---networks of (typically compromised) machines---are often used for nefarious activities (\\eg, spam, click fraud, denial-of-service attacks, etc.). Identifying members of botnets could help stem these attacks, but {\\em passively} detecting botnet membership (\\ie, without disrupting the operation of the botnet) proves to be difficult. This paper studies the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership.
We perform {\\em counter-intelligence} based on the insight that botmasters themselves perform DNSBL lookups to determine whether their spamming bots are blacklisted. Using heuristics to identify which DNSBL lookups are perpetrated by a botmaster performing such reconnaissance, we are able to compile a list of likely bots. This paper studies the prevalence of DNSBL reconnaissance observed at a mirror of a well-known blacklist for a 45-day period, identifies the means by which botmasters are performing reconnaissance, and suggests the possibility of using counter-intelligence to discover likely bots. We find that bots are performing reconnaissance on behalf of other bots. Based on this finding, we suggest counter- intelligence techniques that may be useful for early bot detection.
The paper referenced in the talk is available at: http://www.cc.gatech.edu/~feamster/papers/dnsbl.pdf | |
| Files: |  Research Forum: Revealing Botnet Membership Using DNSBL Counter-Intelligence
 Revealing Botnet Membership Using DNSBL Counter-Intelligence(PDF)
| |
| Sponsors: | None. | |
Back to NANOG38 agenda. NANOG38 Abstracts- ISP Security
Moderators:
Danny McPhersonArbor Networks; .Roland DobbinsCisco Systems; .
- ISP Security
Moderators:
Danny McPhersonArbor Networks; .Roland DobbinsCisco Systems; .
- PHAS - A Prefix Hijack Alert System
Speakers:
Mohit LadUCLA; .Lixia ZhangUCLA; .Yan ChenColorado State University; .Dan MasseyColorado State University; .Beichuan ZhangUniversity of Arizona; .
- PHAS - A Prefix Hijack Alert System
Speakers:
Mohit LadUCLA; .Lixia ZhangUCLA; .Yan ChenColorado State University; .Dan MasseyColorado State University; .Beichuan ZhangUniversity of Arizona; .
- PHAS - A Prefix Hijack Alert System
Speakers:
Mohit LadUCLA; .Lixia ZhangUCLA; .Yan ChenColorado State University; .Dan MasseyColorado State University; .Beichuan ZhangUniversity of Arizona; .
- PHAS - A Prefix Hijack Alert System
Speakers:
Mohit LadUCLA; .Lixia ZhangUCLA; .Yan ChenColorado State University; .Dan MasseyColorado State University; .Beichuan ZhangUniversity of Arizona; .
- PHAS - A Prefix Hijack Alert System
Speakers:
Mohit LadUCLA; .Lixia ZhangUCLA; .Yan ChenColorado State University; .Dan MasseyColorado State University; .Beichuan ZhangUniversity of Arizona; .
|
|
|
Media Releases
NANOG Meetings
