Detecting Traffic to Recently Unparked Domains with Analysis Pipeline

January 2016 • Presentation

Daniel Ruef

In this presentation, the authors discuss using Analysis Pipeline to detect (1) changes in the control plane and (2) data going to recently unparked IP addresses.

Publisher:

CERT Division

Subjects

Situational AwarenessSituational Awareness
FloConFloCon

Abstract

The IP address associated with a domain name can be changed back and forth from being route-able to unroute-able. The changing of a domain name's associated IP address can potentially indicate the turning on of a C2 server. This presentation walks through how to use Analysis Pipeline to detect these changes in the control plane and to detect any data going to these recently unparked IP addresses.

Software Engineering Institute