"How DNS can be used for detecting and monitoring badware in a network" http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf This is a very interesting although preliminary work by obviously skilled people. I haven't learned much but I am extremely happy others work on this than the people I already know! They also weren't too shy with credit, mentioning Florian Weimer and his Passive DNS project already at the abstract (quoted below). They even mention me for some reason. Great paper guys! Moving past Passive DNS Replication and blacklisting, they discuss what so far has been done for years using dnstop, and help us take it to the next level of DNS monitoring. Someone should introduce them to Duane Wessels' (from ISC OARC) follow-up dnstop project, DSC. :) http://dns.measurement-factory.com/tools/dsc/ https://oarc.isc.org/faq-dsc.html http://www.caida.org/tools/utilities/dsc/ [Duane's lecture on the tool at the 1st DNS-OARC Workshop] http://www.caida.org/projects/oarc/200507/slides/oarc0507-Wessels-dsc.pdf There has been some other interesting work done in this area by our very own David Dagon from Georgia Tech: [Presentation from the 1st DNS-OARC Workshop] Botnet Detection and Response - The Network is the Infection: http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf [Paper] Modeling Botnet Propagation Using Time Zones: http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_NDSS06.pdf ----- Abstract SURFnet is looking for technologies to expand the ways they can detect network traffic anomalies like botnets. Since bots started using domain names for connection with their controller, tracking and removing them has become a hard task. This research is a first glance at the usability of DNS traffic and logs for detection of this malicious network activity. Detection of bots is possible by DNS information gathered from the network by placing counters and triggers on specific events in the data analysis. In combination with NetFlow information and IP addresses of known infected systems, detection of bots of network anomalies can be made visible. Also the behavior of a bot can be documented and additional information can be gathering about the bot. Using DNS data as a supplement to the existing detection systems can give more insight in the suspicious network traffic. With some future research, this information can be used to compile a case against particular types of bot or spyware and help dismantling a remote controlled infrastructure as a whole. Note We started this research project with the question if the Passive DNS Software of Florian Weimer was useful for bot detection. We immediately found out that the sensor of the Passive DNS Software strips the source address from the collected data for privacy reasons, making this software not useful at all for our purpose. We deviated from the Research Plan (Plan van Aanpak) and took a more general approach to the question; ”Is gathered DNS traffic usable for badware detection”. ----- Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.