John Heidemann / Papers / Detecting Malicious Activity with DNS Backscatter Over Time

Detecting Malicious Activity with DNS Backscatter Over Time
Kensuke Fukuda, John Heidemann and Abdul Qadeer
USC/Information Sciences Institute

Citation

Kensuke Fukuda, John Heidemann and Abdul Qadeer. Detecting Malicious Activity with DNS Backscatter Over Time. ACM/IEEE Transactions on Networking. 25, 5 (Aug. 2017), 3203–3218. [DOI] [PDF] [alt PDF] [Dataset]

Abstract

Network-wide activity is when one computer (the originator) touches many others (the targets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies DNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server’s location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable accuracy and precision (70–80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.

Bibtex Citation

@article{Fukuda17a,
  author = {Fukuda, Kensuke and Heidemann, John and Qadeer, Abdul},
  title = {Detecting Malicious Activity with {DNS}
                    Backscatter Over Time},
  journal = {ACM/IEEE Transactions on Networking},
  volume = {25},
  number = {5},
  pages = {3203--3218},
  month = aug,
  year = {2017},
  sortdate = {2017-09-12},
  project = {ant, lacrend, retrofuture, retrofuturebridge, effect},
  jsubject = {dns},
  jlocation = {johnh: pafile},
  keywords = {dns, backscatter},
  doi = {10.1109/TNET.2017.2724506},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.pdf},
  dataseturl = {https://ant.isi.edu/datasets/dns_backscatter/index.html},
  icon = {Fukuda17a_icon.png},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {IEEE}
}
Copyright © by John Heidemann