Revealing Botnet Membership Using DNSBL Counter-Intelligence
This is a paper by Anirudh Ramachandran, Nick Feamster and David Dagon from the College of Computing at Georgia Institute of Technology. They start by explaining one of the primary contributors to malicious activities on the internet; ie. Botnets. Then they follow it up by describing means of bot and botnet detection mechanisms; mainly focusing on the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership.
The authors perform 'counter-intelligence' based on the fact that botmasters (people who own botnets); themselves perform DNSBL lookups to determine whether their spamming bots are a part of the blacklist. The major contributions of this paper as as follows:
1. Passive Heuristics for counter-intelligence: This includes a definition of possible lookup techniques, that botmasters are likely to use to verify whether their bots are blacklisted or not. The key difference here is that the detection schemes described here are covert and do not disrupt botnet activity.
2. Study of DNSBL reconnaissance techniques: The authors study the prevalence of existing techniques of finding out members of a blacklist by analyzing the logs from a mirror of a well-known blackhole list for a 45-day period from November 17, 2005 to December 31, 2005.
3. Identification of new bots: DNSBL queries that are used by botmasters to identify "clean" bots are analyzed to determine patterns.
4. DNSBL-based countermeasures: The heuristics developed by the authors could be used to detect reconnaissance in real-time, which provides potential for active and immediate countermeasures.
The paper then goes on to explain a model for reconnaissance techniques, followed by short descriptions of 3 types of reconnaisance techniques:
1. Self-Reconnaissance
2. Distributed Reconnaissance
3. Third-party Reconnaissance
The paper goes into considerable detail in explaining the tests and methods for analysis used by the authors, and ends by suggesting techniques that DNSBL operators might use to more effectively stem the spam originating from botnets.
The authors perform 'counter-intelligence' based on the fact that botmasters (people who own botnets); themselves perform DNSBL lookups to determine whether their spamming bots are a part of the blacklist. The major contributions of this paper as as follows:
1. Passive Heuristics for counter-intelligence: This includes a definition of possible lookup techniques, that botmasters are likely to use to verify whether their bots are blacklisted or not. The key difference here is that the detection schemes described here are covert and do not disrupt botnet activity.
2. Study of DNSBL reconnaissance techniques: The authors study the prevalence of existing techniques of finding out members of a blacklist by analyzing the logs from a mirror of a well-known blackhole list for a 45-day period from November 17, 2005 to December 31, 2005.
3. Identification of new bots: DNSBL queries that are used by botmasters to identify "clean" bots are analyzed to determine patterns.
4. DNSBL-based countermeasures: The heuristics developed by the authors could be used to detect reconnaissance in real-time, which provides potential for active and immediate countermeasures.
The paper then goes on to explain a model for reconnaissance techniques, followed by short descriptions of 3 types of reconnaisance techniques:
1. Self-Reconnaissance
2. Distributed Reconnaissance
3. Third-party Reconnaissance
The paper goes into considerable detail in explaining the tests and methods for analysis used by the authors, and ends by suggesting techniques that DNSBL operators might use to more effectively stem the spam originating from botnets.
posted by Ankur Bhamri at 9:13 PM
0 Comments:
Post a Comment
<< Home