Passive Monitoring of DNS Anomalies

Skip to Content

The Cooperative Association for Internet Data Analysis

HOME
- About
- Program Plan
- Annual Report
- Joining CAIDA
- Staff
- Jobs
- Legal Agreements
- How-To
- Blog
RESEARCH
DATA
TOOLS
- Overview
PUBLICATIONS
WORKSHOPS
- Overview
- ISMA / AIMS
- DUST
- WIE
- CAIDA-WIDE-CASFI
- DANCES
- Collaborative
- Archive
PROJECTS
FUNDING
- Cartographic Capabilities
- iLENS
- IPv6
- DALS
- Dynamic Graphs
- Routing
- Named Data Networking
- Economics
- Telescope
- IRNC-SP
- DatCat
- PREDICT
- Program Plan

www.caida.org > publications : papers : 2007 : dns_anomalies

Passive Monitoring of DNS Anomalies

B. Zdrnja, N. Brownlee, and D. Wessels, “Passive Monitoring of DNS Anomalies'', in Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA) 2007, Lucerne, Switzerland, Jul 2007, vol. 4579, pp. 129--139, Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA) 2007.

| View full paper: PDF | View citation: BibTeX |

Passive Monitoring of DNS Anomalies

Bojan Zdrnja 1

Nevil Brownlee 2, 3

Duane Wessels 4

1

University of Auckland, New Zealand

2

University of Auckland, New Zealand

3

Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego

4

The Measurement Factory, Inc.

We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.

Last Modified: Fri May-3-2013 15:20:3 PDT

Page URL: http://www.caida.org/publications/papers/2007/dns_anomalies/index.xml