TIDE – Threat Identification using Active DNS Measurements

Anna Sperotto, Olivier van der Toorn, Roland van Rijswijk

    Research output: Contribution to conferencePaperpeer-review

    4 Citations (Scopus)


    The Domain Name System contains a wealth of information about the security, stability and health of the Internet. Most research that leverages the DNS for detection of malicious activities does so by using passive measurements. The limitation of this approach, however, is that it is effective only once an attack is ongoing. In this paper, we explore a different approach. We advocate the use of active DNS measurements for pro-active (i.e., before the actual attack) identification of domains set up for malicious use. Our research makes uses of data from the OpenINTEL large-scale active DNS measurement platform, which, since February 2015, collects daily snapshots of currently more than 60% of the DNS namespace. We illustrate the potential of our approach by showing preliminary results in three case studies, namely snowshoe spam, denial of service attacks and a case of targeted phishing known as CEO fraud.
    Original languageEnglish
    Number of pages3
    Publication statusPublished - 22 Aug 2017
    EventAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States
    Duration: 21 Aug 201725 Aug 2017


    ConferenceAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017
    Abbreviated titleACM SIGCOMM
    Country/TerritoryUnited States
    CityLos Angeles
    Internet address


    Dive into the research topics of 'TIDE – Threat Identification using Active DNS Measurements'. Together they form a unique fingerprint.

    Cite this