Last week our home town of San Diego was host to the Network and Distributed System Security Symposium held by the Internet Society. This conference represented a good opportunity for us to learn the latest research topics under investigation by the academic community.
David Dagon and his team from GA Tech presented an interesting paper on malicious domain name resolution. Their research showed that 2.4% of investigated DNS servers produce incorrect or malicious name resolution. eExtrapolating based on the number of hosts on the Internet, there may be almost 300,000 malicious name servers out there! While this is not surprising, as we have seen malware that changes the DNS configuration of infected hosts to redirect their browsers towards phishing sites, this is the first research we have seen on the scope of the problem.
Thorsten Holz also gave an interesting presentation on how to measure and detect fast flux DNS service networks. Fast flux is a technique used to increase the reliability and availability of malicious web sites. To do so, DNS servers are configured to answer lookup requests for malicious sites with a wide range of different IP addresses every time a request is made for a domain. The IP addresses actually point to compromised hosts participating in a botnet and serve up more malicious content , host phishing sites and so forth. The increased number of computers available to respond to such requests "improves" the reliability of the service for the attacker and makes it harder for security companies and law enforcement agencies to stop malicious operations.
Other sessions at the conference focused on topics such as intrusion prevention, reverse engineering, hardening software,and malware. For more information, visit the conference website at: http://www.isoc.org/isoc/conferences/ndss/08/.
Pierre-Marc Bureau
Researcher