Detecting Malicious Activity with DNS Backscatter Over Time. Fukuda, K., Heidemann, J., & Qadeer, A. ACM/IEEE Transactions on Networking, 25(5):3203–3218, August, 2017. Paper doi abstract bibtex Network-wide activity is when one computer (the \emphoriginator) touches many others (the \emphtargets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies \emphDNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server's location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable accuracy and precision (70–80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.
@Article{Fukuda17a,
author = "Kensuke Fukuda and John Heidemann and Abdul Qadeer",
title = "Detecting Malicious Activity with {DNS}
Backscatter Over Time",
journal = "ACM/IEEE Transactions on Networking",
volume = "25",
number = "5",
pages = "3203--3218",
month = aug,
year = 2017,
sortdate = "2017-09-12",
project = "ant, lacrend, retrofuture, retrofuturebridge, effect",
jsubject = "dns",
jlocation = "johnh: pafile",
keywords = "dns, backscatter",
doi = "10.1109/TNET.2017.2724506",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.pdf",
dataseturl = "https://ant.isi.edu/datasets/dns_backscatter/index.html",
icon = "Fukuda17a_icon.png",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "IEEE",
abstract = "Network-wide activity is when one computer (the \emph{originator})
touches many others (the \emph{targets}). Motives for activity may be
benign (mailing lists, CDNs, and research scanning), malicious
(spammers and scanners for security vulnerabilities), or perhaps
indeterminate (ad trackers). Knowledge of malicious activity may help
anticipate attacks, and understanding benign activity may set a
baseline or characterize growth. This paper identifies \emph{DNS
backscatter} as a new source of information about network-wide
activity. Backscatter is the reverse DNS queries caused when targets
or middleboxes automatically look up the domain name of the
originator. Queries are visible to the authoritative DNS servers that
handle reverse DNS. While the fraction of backscatter they see
depends on the server's location in the DNS hierarchy, we show that
activity that touches many targets appear even in sampled
observations. We use information about the queriers to classify
originator activity using machine-learning. Our algorithm has
reasonable accuracy and precision (70--80\%) as shown by data from
three different organizations operating DNS servers at the root or
country-level. Using this technique we examine nine months of
activity from one authority to identify trends in scanning,
identifying bursts corresponding to Heartbleed and broad and
continuous scanning of ssh.",
}
Downloads: 0
{"_id":"NmzeDPyAewt6SZcAW","bibbaseid":"fukuda-heidemann-qadeer-detectingmaliciousactivitywithdnsbackscatterovertime-2017","author_short":["Fukuda, K.","Heidemann, J.","Qadeer, A."],"bibdata":{"bibtype":"article","type":"article","author":[{"firstnames":["Kensuke"],"propositions":[],"lastnames":["Fukuda"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Abdul"],"propositions":[],"lastnames":["Qadeer"],"suffixes":[]}],"title":"Detecting Malicious Activity with DNS Backscatter Over Time","journal":"ACM/IEEE Transactions on Networking","volume":"25","number":"5","pages":"3203–3218","month":"August","year":"2017","sortdate":"2017-09-12","project":"ant, lacrend, retrofuture, retrofuturebridge, effect","jsubject":"dns","jlocation":"johnh: pafile","keywords":"dns, backscatter","doi":"10.1109/TNET.2017.2724506","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.pdf","dataseturl":"https://ant.isi.edu/datasets/dns_backscatter/index.html","icon":"Fukuda17a_icon.png","myorganization":"USC/Information Sciences Institute","copyrightholder":"IEEE","abstract":"Network-wide activity is when one computer (the \\emphoriginator) touches many others (the \\emphtargets). Motives for activity may be benign (mailing lists, CDNs, and research scanning), malicious (spammers and scanners for security vulnerabilities), or perhaps indeterminate (ad trackers). Knowledge of malicious activity may help anticipate attacks, and understanding benign activity may set a baseline or characterize growth. This paper identifies \\emphDNS backscatter as a new source of information about network-wide activity. Backscatter is the reverse DNS queries caused when targets or middleboxes automatically look up the domain name of the originator. Queries are visible to the authoritative DNS servers that handle reverse DNS. While the fraction of backscatter they see depends on the server's location in the DNS hierarchy, we show that activity that touches many targets appear even in sampled observations. We use information about the queriers to classify originator activity using machine-learning. Our algorithm has reasonable accuracy and precision (70–80%) as shown by data from three different organizations operating DNS servers at the root or country-level. Using this technique we examine nine months of activity from one authority to identify trends in scanning, identifying bursts corresponding to Heartbleed and broad and continuous scanning of ssh.","bibtex":"@Article{Fukuda17a,\n\tauthor = \t\"Kensuke Fukuda and John Heidemann and Abdul Qadeer\",\n\ttitle = \t\"Detecting Malicious Activity with {DNS}\n Backscatter Over Time\",\n journal = \"ACM/IEEE Transactions on Networking\",\n volume = \"25\",\n number = \"5\",\n pages = \"3203--3218\",\n month = aug,\n year = 2017,\n\tsortdate = \t\t\"2017-09-12\",\n\tproject = \"ant, lacrend, retrofuture, retrofuturebridge, effect\",\n\tjsubject = \"dns\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"dns, backscatter\",\n\tdoi = \"10.1109/TNET.2017.2724506\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.pdf\",\n\tdataseturl = \"https://ant.isi.edu/datasets/dns_backscatter/index.html\",\n\ticon =\t\"Fukuda17a_icon.png\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"IEEE\",\n\tabstract = \"Network-wide activity is when one computer (the \\emph{originator})\ntouches many others (the \\emph{targets}). Motives for activity may be\nbenign (mailing lists, CDNs, and research scanning), malicious\n(spammers and scanners for security vulnerabilities), or perhaps\nindeterminate (ad trackers). Knowledge of malicious activity may help\nanticipate attacks, and understanding benign activity may set a\nbaseline or characterize growth. This paper identifies \\emph{DNS\nbackscatter} as a new source of information about network-wide\nactivity. Backscatter is the reverse DNS queries caused when targets\nor middleboxes automatically look up the domain name of the\noriginator. Queries are visible to the authoritative DNS servers that\nhandle reverse DNS. While the fraction of backscatter they see\ndepends on the server's location in the DNS hierarchy, we show that\nactivity that touches many targets appear even in sampled\nobservations. We use information about the queriers to classify\noriginator activity using machine-learning. Our algorithm has\nreasonable accuracy and precision (70--80\\%) as shown by data from\nthree different organizations operating DNS servers at the root or\ncountry-level. Using this technique we examine nine months of\nactivity from one authority to identify trends in scanning,\nidentifying bursts corresponding to Heartbleed and broad and\ncontinuous scanning of ssh.\",\n}\n\n","author_short":["Fukuda, K.","Heidemann, J.","Qadeer, A."],"bibbaseid":"fukuda-heidemann-qadeer-detectingmaliciousactivitywithdnsbackscatterovertime-2017","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda17a.html"},"keyword":["dns","backscatter"],"metadata":{"authorlinks":{}}},"bibtype":"article","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["dns","backscatter"],"search_terms":["detecting","malicious","activity","dns","backscatter","over","time","fukuda","heidemann","qadeer"],"title":"Detecting Malicious Activity with DNS Backscatter Over Time","year":2017}