Skip to Content
[CAIDA - Cooperative Association for Internet Data Analysis logo]
The Cooperative Association for Internet Data Analysis
www.caida.org > publications : papers : 2007 : : dns_anomalies
Passive Monitoring of DNS Anomalies
Abstract for "Passive Monitoring of DNS Anomalies" authored by Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. Presented at the Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), vol. 4579, pp. 129-139, in 2007.
|  View full paper:    PDF  |

Passive Monitoring of DNS Anomalies

Bojan Zdrnja
University of Auckland, New Zealand

Nevil Brownlee
University of Auckland, New Zealand and
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego

Duane Wessels
The Measurement Factory, Inc.

We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.

|  View full paper:    PDF  |
  Last Modified: Wed May-20-2009 9:34:40 PDT
  Page URL: http://www.caida.org/publications/papers/2007/dns_anomalies/index.xml