Identificação e Caracterização de Comportamentos Suspeitos Através da Análise do Tráfego DNS
Abstract
The Domain Name System (DNS) provides mechanisms for translating domain names into IP address. This service is used by both legitimate users and suspicious applications which may request mail servers' address before sending spam. This paper presents a methodology based on graph theory that distinguishes between legitimate and malicious traffic queries patterns. Name resolutions are modeled in a graph that illustrates the communication patterns between hosts and how the queries were held. To validate the proposal, the .br DNS domain traffic is investigated. The results show a 35% reduction of the hosts to be analyzed and the presence of suspicious behavior.References
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., e Feamster, N. (2010). Building a dynamic reputation system for dns. In Proceedings of the 19th USENIX conference on Security, USENIX Security’10, pages 18–18, Berkeley, CA, USA. USENIX Association.
Barbosa, K. R. S. e Souto, E. (2009). Análise passiva do tráfego dns da internet brasileira. In IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais - SBSeg 2009, pages 203–216, Campinas.
Barr, D. (1996). RFC 1912: Common DNS operational e configuration errors. http://www.ietf.org/rfc/rfc1912.txt.
Castro, S.,Wessels, D., Fomenkov, M., e Claffy, K. (2008). A day at the root of the internet. ACM SIGCOMM Computer Communication Review (CCR), 38(5):41–46.
Choi, H. e Lee, H. (2012). Identifying botnets by capturing group activities in dns traffic. Computer Networks, 56(1):20–33.
Crocker, D. (1997). RFC 2142: Mailbox names for common services, roles e functions. http://www.ietf.org/rfc/rfc2142.txt.
Dagon, D., Gu, G., Lee, C., e Lee, W. (2007). A taxonomy of botnet structures. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 325–339.
DITL (2014). A day in the life of the internet (ditl). https://www.dns-oarc.net/oarc/data/ditl (acessado em 01/03/2014).
Ishibashi, K., Toyono, T., Toyama, K., Ishino, M., Ohshima, H., e Mizukoshi, I. (2005). Detecting mass-mailing worm infected hosts by mining dns traffic data. In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, MineNet ’05, pages 159–164, New York, NY, USA. ACM.
Jiang, N., Cao, J., Jin, Y., Li, L., e Zhang, Z.-L. (2010). Identifying suspicious activities through dns failure graph analysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144–153.
Kumagai, M., Musashi, Y., Romana, D., Takemori, K., Kubota, S., e Sugitani, K. (2010). Ssh dictionary attack and dns reverse resolution traffic in campus network. In Intelligent Networks and Intelligent Systems (ICINIS), 2010 3rd International Conference on, pages 645–648.
Mockapetris, P. (1987). RFC 1034: Domain names - concepts and facilities. http://www.ietf.org/rfc/rfc1034.txt.
Ramachandran, A., Feamster, N., e Dagon, D. (2006). Revealing botnet membership using dnsbl counter-intelligence. In Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2, SRUTI’06, pages 8–8, Berkeley, CA, USA. USENIX Association.
Shibata, N., Musashi, Y., Romana, D., Kubota, S., e Sugitani, K. (2012). Trends in host search attack in dns query request packet traffic. In Intelligent Networks and Intelligent Systems (ICINIS), 2012 Fifth International Conference on, pages 126–129.
Shin, S. e Gu, G. (2010). Conficker and beyond: A large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pages 151–160, New York, NY, USA. ACM.
Wessels, D. e Fomenkov, M. (2003). Wow, that’s a lot of packets. In Passive and Active Network Measurement Workshop (PAM), pages 1–9, San Diego, CA. PAM.
Yuchi, X., Wang, X., Li, X., e Yan, B. (2009). Dns measurements at the .cn tld servers. In Proceedings of the 6th international conference on Fuzzy systems and knowledge discovery - Volume 7, FSKD’09, pages 540–545, Piscataway, NJ, USA. IEEE Press.
Barbosa, K. R. S. e Souto, E. (2009). Análise passiva do tráfego dns da internet brasileira. In IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais - SBSeg 2009, pages 203–216, Campinas.
Barr, D. (1996). RFC 1912: Common DNS operational e configuration errors. http://www.ietf.org/rfc/rfc1912.txt.
Castro, S.,Wessels, D., Fomenkov, M., e Claffy, K. (2008). A day at the root of the internet. ACM SIGCOMM Computer Communication Review (CCR), 38(5):41–46.
Choi, H. e Lee, H. (2012). Identifying botnets by capturing group activities in dns traffic. Computer Networks, 56(1):20–33.
Crocker, D. (1997). RFC 2142: Mailbox names for common services, roles e functions. http://www.ietf.org/rfc/rfc2142.txt.
Dagon, D., Gu, G., Lee, C., e Lee, W. (2007). A taxonomy of botnet structures. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 325–339.
DITL (2014). A day in the life of the internet (ditl). https://www.dns-oarc.net/oarc/data/ditl (acessado em 01/03/2014).
Ishibashi, K., Toyono, T., Toyama, K., Ishino, M., Ohshima, H., e Mizukoshi, I. (2005). Detecting mass-mailing worm infected hosts by mining dns traffic data. In Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, MineNet ’05, pages 159–164, New York, NY, USA. ACM.
Jiang, N., Cao, J., Jin, Y., Li, L., e Zhang, Z.-L. (2010). Identifying suspicious activities through dns failure graph analysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144–153.
Kumagai, M., Musashi, Y., Romana, D., Takemori, K., Kubota, S., e Sugitani, K. (2010). Ssh dictionary attack and dns reverse resolution traffic in campus network. In Intelligent Networks and Intelligent Systems (ICINIS), 2010 3rd International Conference on, pages 645–648.
Mockapetris, P. (1987). RFC 1034: Domain names - concepts and facilities. http://www.ietf.org/rfc/rfc1034.txt.
Ramachandran, A., Feamster, N., e Dagon, D. (2006). Revealing botnet membership using dnsbl counter-intelligence. In Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2, SRUTI’06, pages 8–8, Berkeley, CA, USA. USENIX Association.
Shibata, N., Musashi, Y., Romana, D., Kubota, S., e Sugitani, K. (2012). Trends in host search attack in dns query request packet traffic. In Intelligent Networks and Intelligent Systems (ICINIS), 2012 Fifth International Conference on, pages 126–129.
Shin, S. e Gu, G. (2010). Conficker and beyond: A large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pages 151–160, New York, NY, USA. ACM.
Wessels, D. e Fomenkov, M. (2003). Wow, that’s a lot of packets. In Passive and Active Network Measurement Workshop (PAM), pages 1–9, San Diego, CA. PAM.
Yuchi, X., Wang, X., Li, X., e Yan, B. (2009). Dns measurements at the .cn tld servers. In Proceedings of the 6th international conference on Fuzzy systems and knowledge discovery - Volume 7, FSKD’09, pages 540–545, Piscataway, NJ, USA. IEEE Press.
Published
2014-11-03
How to Cite
BARBOSA, Kaio R. S.; SOUTO, Eduardo; FEITOSA, Eduardo; MARTINS, Gilbert B..
Identificação e Caracterização de Comportamentos Suspeitos Através da Análise do Tráfego DNS. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 14. , 2014, Belo Horizonte.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2014
.
p. 167-180.
DOI: https://doi.org/10.5753/sbseg.2014.20129.
