The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.
|Number of pages||3|
|Publication status||Published - 22 Aug 2017|
|Event||Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States|
Duration: 21 Aug 2017 → 25 Aug 2017
|Conference||Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017|
|Abbreviated title||ACM SIGCOMM|
|Period||21/08/17 → 25/08/17|