Advanced Search

Content Type

Topics

Publication Date

Passive Detection of Misbehaving Name Servers

Abstract

In the process of categorizing malicious domains, distinguishing between suspicious and benign name servers can allow the name servers themselves to be acted against. Name servers do not normally change internet protocol (IP) addresses frequently. Domains that do change IP addresses quickly or often are said to exhibit IP flux, which can allow services, such as web pages that deliver malicious content, to circumvent defenders' attempts to block their IP addresses. IP flux in a name server's domain may be a sign that the name server is suspicious. This report demonstrates that name-server flux exists and is ongoing. Furthermore, there are two types of data that can reveal IP flux in domain name system (DNS) servers: passively collected DNS messages and the contents of several large, top-level domains' official zone files. 

Cite This Report

Show Citation Formats

SEI

Metcalf, Leigh; & Spring, Jonathan. Passive Detection of Misbehaving Name Servers (CMU/SEI-2013-TR-010). Software Engineering Institute, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=65269

IEEE

Metcalf. Leigh, and Spring. Jonathan, "Passive Detection of Misbehaving Name Servers," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2013-TR-010, 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=65269

APA

Metcalf, Leigh., & Spring, Jonathan. (2013). Passive Detection of Misbehaving Name Servers (CMU/SEI-2013-TR-010). Retrieved October 31, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=65269

CHI

Leigh Metcalf, & Jonathan Spring. Passive Detection of Misbehaving Name Servers (CMU/SEI-2013-TR-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=65269

MLA

Metcalf, Leigh., & Spring, Jonathan. 2013. Passive Detection of Misbehaving Name Servers (Technical Report CMU/SEI-2013-TR-010). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=65269