Passive Detection of Misbehaving Name Servers

Abstract

In the process of categorizing malicious domains, distinguishing between suspicious and benign name servers can allow the name servers themselves to be acted against. Name servers do not normally change internet protocol (IP) addresses frequently. Domains that do change IP addresses quickly or often are said to exhibit IP flux, which can allow services, such as web pages that deliver malicious content, to circumvent defenders' attempts to block their IP addresses. IP flux in a name server's domain may be a sign that the name server is suspicious. This report demonstrates that name-server flux exists and is ongoing. Furthermore, there are two types of data that can reveal IP flux in domain name system (DNS) servers: passively collected DNS messages and the contents of several large, top-level domains' official zone files.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 01, 2013
Accession Number
ADA610471

Entities

People

  • Jonathan M. Spring
  • Leigh B. Metcalf

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Biomedical
  • C4I
  • Cyber
  • Energy and Power Technologies
  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Classification
  • Command And Control
  • Computer Networks
  • Cybersecurity
  • Detection
  • Electronic Mail
  • Engineering
  • Information Science
  • Intellectual Property
  • Internet
  • Network Protocols
  • Networks
  • Routing Protocols
  • Security
  • Security Personnel
  • Software Development
  • Websites

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Cybersecurity.