![[CAIDA - Cooperative Association for Internet Data Analysis logo]](/images/caida_globe_faded.png)
![[CAIDA]](/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
Abstract for "Passive Monitoring of DNS Anomalies" authored by Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. Presented at the Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), vol. 4579, pp. 129-139, in 2007.
Passive Monitoring of DNS Anomalies
Bojan Zdrnja
University of Auckland, New Zealand
Nevil Brownlee
University of Auckland, New Zealand and
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego
Duane Wessels
The Measurement Factory, Inc.
We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.