research-article

A Large Scale Analysis of DNS Water Torture Attack

Authors:

Tian TianAuthors Info & Claims

CSAI '18: Proceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence

December 2018

Pages 168 - 173

https://doi.org/10.1145/3297156.3297272

Published: 08 December 2018 Publication History

Abstract

Random domains are widely used in present network environment. In the benign services, they have been utilized as disposable domains to transfer one-time signals. However, in recent, based on the convenience of random domains, some cybercriminals have utilized them to launch DNS water torture attack, a kind of DDoS attack targeting on the authoritative servers. Most of the Researchers dedicate in analyzing the random domains used for DGA (Domain Generation Algorithm) malware C&C communication rather than the DNS water torture attack. In order to get more facts about the nature of this kind of attacks, we compare behaviors of the DNS water torture attack with the DGA malware and disposable service from three aspects, i.e., time pattern, lexical property and the participants (clients and victims). Based on a month of real-world DNS traffic, we find that, first, the volume of the DNS water torture attack is significantly larger than the volume of disposable domains and DGA queries. Second, the character distribution of domains generated in the DNS water torture attacks are more random than disposable domains and DGA domains. Third, the client IP launching the DNS water torture attack are all random generated fake addresses. Fourth, the victims are themselves lawbreaker, e.g., pornographic website and gambling website. At last, we give some advices based on the analysis result to mitigate the DNS water torture attack.

References

[1]

Yizheng Chen, Manos Antonakakis, Roberto Perdisci, Yacin Nadji, David Dagon, and Wenke Lee. 2014. DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Trafc. In 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2014, Atlanta, GA, USA, June 23--26, 2014. 598--609.

Digital Library

[2]

Hyrum S. Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially-Tuned Domain Generation and Detection. In Proceedings of the 2016 ACM Workshop

Digital Library

[3]

Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou II, SaeedAbu-Nimeh, Wenke Lee, and David Dagon. 2012. From Throw-Away Trafc toBots: Detecting the Rise of DGA-Based Malware. In USENIX Security Symposium. 491--506.

Digital Library

[4]

Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting Malicious Domains via Graph Inference. In Proceedings of the 2014 Workshop on Artifcial Intelligent and Security Workshop, AISec 2014, Scottsdale, AZ, USA, November 7, 2014. 59--60.

Digital Library

[5]

Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader, and Elmar Gerhards-Padilla. 2016. A Comprehensive Measurement Study of Domain Generating Malware. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10--12, 2016. 263--278. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann

Digital Library

[6]

Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-Based Botnet Tracking and Intelligence. In Detection of Intrusions and Malware, and Vulnerability Assessment - 11th International Conference, DIMVA 2014, Egham, UK, July 10--11, 2014. Proceedings. 192--211.

[7]

Reza Sharifnya and Mahdi Abadi. 2015. DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS trafc. Digital Investigation 12 (2015), 15--26.

Digital Library

[8]

Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. CoRR abs/1611.00791 (2016). http://arxiv.org/abs/1611.00791

[9]

Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant. 2016. Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. CoRR abs/1611.00791 (2016). http://arxiv.org/abs/1611.00791

[10]

Sandeep Yadav, Ashwath Kumar Krishna Reddy, A. L. Narasimha Reddy, and Supranamaya Ranjan. 2010. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, IMC 2010, Melbourne, Australia November 1--3, 2010. 48--61.

Digital Library

[11]

Sandeep Yadav and A. L. Narasimha Reddy. 2011. Winning with DNS Failures: Strategies for Faster Botnet Detection. In Security and Privacy in Communication Networks - 7th International ICST Conference, SecureComm 2011, London, UK, September 7--9, 2011, Revised Selected Papers. 446--459.

[12]

Jonghoon Kwon, Jehyun Lee, Heejo Lee, and Adrian Perrig. 2016. PsyBoG: A scalable botnet detection method for large-scale DNS trafc. Computer Networks 97 (2016), 48--73.

Digital Library

[13]

{n. d.}. The Bro Network Security Monitor. https://www.bro.org

[14]

{n. d.}. The evolution of the Nymaim Criminal Enterprise. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf.

[15]

Chaz Lever, Platon Kotzias, Davide Balzarotti, Juan Caballero, and Manos Antonakakis. 2017. A Lustrum of Malware Network Communication: Evolution and Insights. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22--26, 2017. 788--804.

Cited By

Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Zhang FLiu BAlowaisheq EChen JLu CSong LMa YLiu YDuan HYang MMeng WJensen CCremers CKirda E(2023)Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS ServersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616647(296-310)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616647
Hasegawa KKondo DOsumi MTode H(2023)Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture AttackIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327788020:4(3968-3983)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3277880
Show More Cited By

Index Terms

A Large Scale Analysis of DNS Water Torture Attack
1. Security and privacy
  1. Network security
    1. Denial-of-service attacks

Recommendations

Real-time Detection of Botnet Behavior in Cloud Using Domain Generation Algorithm
AICTC '16: Proceedings of the International Conference on Advances in Information Communication Technology & Computing

In the last few years, the high acceptability of service computing delivered over the internet has exponentially created immense security challenges for the services providers. Cyber criminals are using advanced malware such as polymorphic botnets for ...
Read More
DGA-based botnets detection using DNS traffic mining
Abstract
Botnet is a network of infected workstations that are remotely managed by BotMaster via the command and control (C&C) server. Botnets pose a serious threat to network security since they are the source of a variety of malicious ...
Read More
DGA-based malware detection using DNS traffic analysis
RACS '19: Proceedings of the Conference on Research in Adaptive and Convergent Systems

A large number of malicious software communicate with C & C (Command and Control) servers to download resources for malicious actions or to receive commands to perform desired attacks. Malware needs to know C & C servers' IP addresses to communicate ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSAI '18: Proceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence

December 2018

641 pages

ISBN:9781450366069

DOI:10.1145/3297156

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Shenzhen University: Shenzhen University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CSAI '18

CSAI '18: 2018 2nd International Conference on Computer Science and Artificial Intelligence

December 8 - 10, 2018

Shenzhen, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
311
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)6

Other Metrics

View Author Metrics

Citations

Cited By

Afek YBremler-Barr AStajnrod SCalandrino JTroncoso C(2023)NRDelegationAttackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620416(3187-3204)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620416
Zhang FLiu BAlowaisheq EChen JLu CSong LMa YLiu YDuan HYang MMeng WJensen CCremers CKirda E(2023)Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS ServersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616647(296-310)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616647
Hasegawa KKondo DOsumi MTode H(2023)Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture AttackIEEE Transactions on Network and Service Management10.1109/TNSM.2023.327788020:4(3968-3983)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1109/TNSM.2023.3277880
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Ahmed JGharakheili HSivaraman V(2022)Learning-Based Detection of Malicious Hosts by Analyzing Non-Existent DNS ResponsesGLOBECOM 2022 - 2022 IEEE Global Communications Conference10.1109/GLOBECOM48099.2022.10001429(3411-3416)Online publication date: 4-Dec-2022
https://doi.org/10.1109/GLOBECOM48099.2022.10001429
Nawrocki MKoch MSchmidt TWählisch MCarle GOtt J(2021)Transparent forwardersProceedings of the 17th International Conference on emerging Networking EXperiments and Technologies10.1145/3485983.3494872(454-462)Online publication date: 2-Dec-2021
https://dl.acm.org/doi/10.1145/3485983.3494872
Kaplan AFeibish SChiesa MChoffnes DMarkopoulou ABarcellos M(2021)DNS water torture detection in the data planeProceedings of the SIGCOMM '21 Poster and Demo Sessions10.1145/3472716.3472854(24-26)Online publication date: 23-Aug-2021
https://dl.acm.org/doi/10.1145/3472716.3472854
Korczyński MNosyk Y(2021)Source Address ValidationEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1626-1(1-5)Online publication date: 19-Jan-2021
https://doi.org/10.1007/978-3-642-27739-9_1626-1
Afek YBremler-Barr AShafir LCapkun SRoesner F(2020)NXNSAttackProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489248(631-648)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489248
Griffioen HDoerr C(2019)Taxonomy and Adversarial Strategies of Random Subdomain Attacks2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)10.1109/NTMS.2019.8763820(1-5)Online publication date: Jun-2019
https://doi.org/10.1109/NTMS.2019.8763820
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents