Botnets---networks of (typically compromised) machines---are often used
for nefarious activities (\eg, spam, click fraud, denial-of-service attacks,
etc.). Identifying members of botnets could help stem these
attacks, but {\em passively} detecting botnet membership (\ie, without
disrupting the operation of the botnet) proves to be difficult.
This paper studies the effectiveness of monitoring lookups to a
DNS-based blackhole list (DNSBL) to expose botnet membership.
We perform {\em counter-intelligence} based on the insight that
botmasters themselves perform DNSBL lookups to determine whether their
spamming bots are blacklisted. Using heuristics to identify which DNSBL
lookups are perpetrated by a botmaster performing such reconnaissance,
we are able to compile a list of likely bots. This paper studies the
prevalence of DNSBL reconnaissance observed at a mirror of a well-known
blacklist for a 45-day period, identifies the means by which botmasters
are performing reconnaissance, and suggests the possibility of using
counter-intelligence to discover likely bots. We find that bots are
performing reconnaissance on behalf of other bots. Based on this
finding, we suggest counter- intelligence techniques that may be useful
for early bot detection.
About the Presenter
Nick Feamster is an assistant professor in the College of Computing at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network security, anonymous communication systems, and adaptive streaming media protocols. His honors include award papers at SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005 conference (fault detection in router configuration), Usenix Security 2002 (circumventing web censorship using Infranet), and Usenix Security 2001 (web cookie analysis).
Link to this Presentation
Nick Feamster's webpage is here: http://www.cc.gatech.edu/~feamster/
The paper referenced in the talk is here: http://www.cc.gatech.edu/~feamster/papers/dnsbl.pdf
