Large Scale DNS Traffic Analysis of Malicious Internet Activity with a Focus on Evaluating the Response Time of Blocking Phishing Sites

摘要

This thesis explores four research areas that are examined using DNS traffic analysis. The tools used for this analysis are presented first. The four topics examined are domain mapping, response time of anti-phishing block lists to find the phishing sites, automated identification of malicious fast-flux hosting domains, and identification of distributed denial of service attacks. The first three approaches yielded successful results, and the fourth yields primarily negative lessons for using DNS traffic analysis in such a scenario. Much of the analysis concerns the anti-phishing response time, which has yielded tentative results. It is found that there is significant overlap between the automatically identified fast-flux sites and those sites on the block list. It appears that domains were being put onto the list approximately 11 hours after becoming active, in the median case, which is very nearly the median lifetime of a phishing site. More recently collected data indicates that this result is extremely difficult to verify. While further work is necessary to verify these claims, the initial indication is that finding and listing phishing sites is the bottleneck in propagating data to protect consumers from malicious phishing sites.