Investigating DNS traffic anomalies for malicious activities

Fyodor Yarochkin; Vladimir Kropotov; Yennun Huang; Guo Kai Ni; Sy Yen Kuo; Ing Yi Chen

doi:10.1109/DSNW.2013.6615506

Investigating DNS traffic anomalies for malicious activities

Fyodor Yarochkin
, Vladimir Kropotov
, Yennun Huang
, Guo Kai Ni
, Sy Yen Kuo
, Ing Yi Chen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

4 Scopus citations

Abstract

The Domain Name System (DNS) is one of the critical components of modern Internet networking. Proper Internet functions (such as mail delivery, web browsing and so on) are typically not possible without the use of DNS. However with the growth and commercialization of global networking, this protocol is often abused for malicious purposes which negatively impacts the security of Internet users. In this paper we perform security data analysis of DNS traffic at large scale for a prolonged period of time. In order to do this, we developed DNSPacketlizer, a DNS traffic analysis tool and deployed it at a mid-scale Internet Service Provider (ISP) for a period of six months. The findings presented in this paper demonstrate persistent abuse of the protocol by Botnet herders and antivirus software vendors for covert communication. Other suspicious or potentially malicious activities in DNS traffic are also discussed.

Original language	English
Title of host publication	2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013
DOIs	https://doi.org/10.1109/DSNW.2013.6615506
State	Published - 2013
Externally published	Yes
Event	2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013 - Budapest, Hungary Duration: 24 06 2013 → 27 06 2013

Publication series

Name	Proceedings of the International Conference on Dependable Systems and Networks

Conference

Conference	2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013
Country/Territory	Hungary
City	Budapest
Period	24/06/13 → 27/06/13

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

Access to Document

10.1109/DSNW.2013.6615506

Cite this

Yarochkin, F., Kropotov, V., Huang, Y., Ni, G. K., Kuo, S. Y., & Chen, I. Y. (2013). Investigating DNS traffic anomalies for malicious activities. In 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013 Article 6615506 (Proceedings of the International Conference on Dependable Systems and Networks). https://doi.org/10.1109/DSNW.2013.6615506

@inproceedings{d55bb4ac84ba44a983c2044db2d127bf,

title = "Investigating DNS traffic anomalies for malicious activities",

abstract = "The Domain Name System (DNS) is one of the critical components of modern Internet networking. Proper Internet functions (such as mail delivery, web browsing and so on) are typically not possible without the use of DNS. However with the growth and commercialization of global networking, this protocol is often abused for malicious purposes which negatively impacts the security of Internet users. In this paper we perform security data analysis of DNS traffic at large scale for a prolonged period of time. In order to do this, we developed DNSPacketlizer, a DNS traffic analysis tool and deployed it at a mid-scale Internet Service Provider (ISP) for a period of six months. The findings presented in this paper demonstrate persistent abuse of the protocol by Botnet herders and antivirus software vendors for covert communication. Other suspicious or potentially malicious activities in DNS traffic are also discussed.",

author = "Fyodor Yarochkin and Vladimir Kropotov and Yennun Huang and Ni, \{Guo Kai\} and Kuo, \{Sy Yen\} and Chen, \{Ing Yi\}",

year = "2013",

doi = "10.1109/DSNW.2013.6615506",

language = "英语",

isbn = "9781479901814",

series = "Proceedings of the International Conference on Dependable Systems and Networks",

booktitle = "2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013",

note = "2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013 ; Conference date: 24-06-2013 Through 27-06-2013",

}

Yarochkin, F, Kropotov, V, Huang, Y, Ni, GK, Kuo, SY & Chen, IY 2013, Investigating DNS traffic anomalies for malicious activities. in 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013., 6615506, Proceedings of the International Conference on Dependable Systems and Networks, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013, Budapest, Hungary, 24/06/13. https://doi.org/10.1109/DSNW.2013.6615506

Investigating DNS traffic anomalies for malicious activities. / Yarochkin, Fyodor; Kropotov, Vladimir; Huang, Yennun et al.
2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013. 2013. 6615506 (Proceedings of the International Conference on Dependable Systems and Networks).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Investigating DNS traffic anomalies for malicious activities

AU - Yarochkin, Fyodor

AU - Kropotov, Vladimir

AU - Huang, Yennun

AU - Ni, Guo Kai

AU - Kuo, Sy Yen

AU - Chen, Ing Yi

PY - 2013

Y1 - 2013

N2 - The Domain Name System (DNS) is one of the critical components of modern Internet networking. Proper Internet functions (such as mail delivery, web browsing and so on) are typically not possible without the use of DNS. However with the growth and commercialization of global networking, this protocol is often abused for malicious purposes which negatively impacts the security of Internet users. In this paper we perform security data analysis of DNS traffic at large scale for a prolonged period of time. In order to do this, we developed DNSPacketlizer, a DNS traffic analysis tool and deployed it at a mid-scale Internet Service Provider (ISP) for a period of six months. The findings presented in this paper demonstrate persistent abuse of the protocol by Botnet herders and antivirus software vendors for covert communication. Other suspicious or potentially malicious activities in DNS traffic are also discussed.

AB - The Domain Name System (DNS) is one of the critical components of modern Internet networking. Proper Internet functions (such as mail delivery, web browsing and so on) are typically not possible without the use of DNS. However with the growth and commercialization of global networking, this protocol is often abused for malicious purposes which negatively impacts the security of Internet users. In this paper we perform security data analysis of DNS traffic at large scale for a prolonged period of time. In order to do this, we developed DNSPacketlizer, a DNS traffic analysis tool and deployed it at a mid-scale Internet Service Provider (ISP) for a period of six months. The findings presented in this paper demonstrate persistent abuse of the protocol by Botnet herders and antivirus software vendors for covert communication. Other suspicious or potentially malicious activities in DNS traffic are also discussed.

UR - https://www.scopus.com/pages/publications/84885975047

U2 - 10.1109/DSNW.2013.6615506

DO - 10.1109/DSNW.2013.6615506

M3 - 会议稿件

AN - SCOPUS:84885975047

SN - 9781479901814

T3 - Proceedings of the International Conference on Dependable Systems and Networks

BT - 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013

T2 - 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop, DSN-W 2013

Y2 - 24 June 2013 through 27 June 2013

ER -

Investigating DNS traffic anomalies for malicious activities

Abstract

Publication series

Conference

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this