TY - GEN
T1 - A methodology for multipurpose DNS sinkhole analyzing double bounce emails
AU - Kim, Hee Seok
AU - Choi, Sang Soo
AU - Song, Jungsuk
PY - 2013
Y1 - 2013
N2 - DNS sinkhole is one of the powerful techniques to mitigate attack activities of bots, i.e., zombie PCs, by blocking the communication between C&C server and them. If a zombie PC sends a DNS query to our DNS server for communicating with its C&C server, our DNS server that contains domain blacklist of C&C servers returns IP address of our sinkhole server. As a result, since the zombie PC tries to communicate with our sinkhole server, it is unable to communicate with its C&C server. On the other hand, there are many cyber attacks caused by malicious URLs included in spam emails. Therefore, if we extract malicious URLs from spam emails and apply them into DNS sinkhole system, many of spam based attacks can be blocked. In this paper, we propose a methodology to enhance the capability of DNS sinkhole system by analyzing spam emails. Especially, we use double bounce emails, which do not have any valid sender and recipient addresses, as spam emails and extract malicious URLs from them. Our preliminary experimental results demonstrate that the existing domain blacklist of DNS sinkhole system is not effective. Thus, we design a new method collecting the malicious URLs from double bounce emails and show how new domain blacklist can be generated. With DNS sinkhole system using new domain blacklist, we will be able to early detect and block the latest malicious behaviors on the Internet.
AB - DNS sinkhole is one of the powerful techniques to mitigate attack activities of bots, i.e., zombie PCs, by blocking the communication between C&C server and them. If a zombie PC sends a DNS query to our DNS server for communicating with its C&C server, our DNS server that contains domain blacklist of C&C servers returns IP address of our sinkhole server. As a result, since the zombie PC tries to communicate with our sinkhole server, it is unable to communicate with its C&C server. On the other hand, there are many cyber attacks caused by malicious URLs included in spam emails. Therefore, if we extract malicious URLs from spam emails and apply them into DNS sinkhole system, many of spam based attacks can be blocked. In this paper, we propose a methodology to enhance the capability of DNS sinkhole system by analyzing spam emails. Especially, we use double bounce emails, which do not have any valid sender and recipient addresses, as spam emails and extract malicious URLs from them. Our preliminary experimental results demonstrate that the existing domain blacklist of DNS sinkhole system is not effective. Thus, we design a new method collecting the malicious URLs from double bounce emails and show how new domain blacklist can be generated. With DNS sinkhole system using new domain blacklist, we will be able to early detect and block the latest malicious behaviors on the Internet.
KW - Botnet
KW - C&C server
KW - DNS sinkhole
KW - Double bounce emails
KW - Spam
UR - https://www.scopus.com/pages/publications/84893346021
U2 - 10.1007/978-3-642-42054-2_76
DO - 10.1007/978-3-642-42054-2_76
M3 - Conference contribution
AN - SCOPUS:84893346021
SN - 9783642420535
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 609
EP - 616
BT - Neural Information Processing - 20th International Conference, ICONIP 2013, Proceedings
T2 - 20th International Conference on Neural Information Processing, ICONIP 2013
Y2 - 3 November 2013 through 7 November 2013
ER -