Two researchers (Dhia Mahjoub & Thomas Mathew) have recently presented at BruCON on how they have been using DNS to detect patterns that are typical of exploit kits landing domains. Obviously most of us won't get the amount of DNS queries OpenDNS collects (over 70+ billions per day or 1/2 TB per hour) but the principles they are showing in the presentation are very interesting called "Spike Rank" or SPRank that leverages DNS traffic below recursive resolvers instead of the well know Domain Reputation. "SPRank detects domains showing as a sudden surge — or a spike — in DNS queries issued from our 65 million worldwide clients towards our resolvers."[1] Their results so far appear to be very promising because they have been able to detect malware campaigns such as Angler, RIG, and Nuclear exploit kits, in addition to DGAs, fake software, or phishing. Take some time watching their BruCON presentation on YouTube and their recently published post. Do you mine your DNS data and how successful are you at finding malicious activity? [1] https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/ ----------- |
Guy 491 Posts ISC Handler Nov 23rd 2015 |
Thread locked Subscribe |
Nov 23rd 2015 5 years ago |
"Do you mine your DNS data"...How would one go about doing that exactly?
|
AAInfoSec 48 Posts |
Quote |
Nov 23rd 2015 5 years ago |
This, perhaps?
http://pen-testing.sans.org/blog/pen-testing/2015/07/10/dns-anomaly-analysis-tips-did-you-put-a-new-cover-sheet-on-that-ddd-report |
John 88 Posts |
Quote |
Nov 23rd 2015 5 years ago |
Thanks, this is a great post, but unfortunately it's for a non-Windows DNS server.
|
AAInfoSec 48 Posts |
Quote |
Nov 25th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!