Characterizing Dark DNS Behavior

11 years 9 months ago
Characterizing Dark DNS Behavior
Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of reverse DNS authority when deploying darknet sensors to prevent attackers from easily evading monitored darknets. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.
Jon Oberheide, Manish Karir, Zhuoqing Morley Mao
Added 29 Oct 2010
Updated 29 Oct 2010
Type Conference
Year 2007
Authors Jon Oberheide, Manish Karir, Zhuoqing Morley Mao
Comments (0)