Skip to main content
SpringerLink
Log in

A Methodology for Multipurpose DNS Sinkhole Analyzing Double Bounce Emails

  • Conference paper
Book cover Neural Information Processing (ICONIP 2013)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8226))

Included in the following conference series:

Abstract

DNS sinkhole is one of the powerful techniques to mitigate attack activities of bots, i.e., zombie PCs, by blocking the communication between C&C server and them. If a zombie PC sends a DNS query to our DNS server for communicating with its C&C server, our DNS server that contains domain blacklist of C&C servers returns IP address of our sinkhole server. As a result, since the zombie PC tries to communicate with our sinkhole server, it is unable to communicate with its C&C server. On the other hand, there are many cyber attacks caused by malicious URLs included in spam emails. Therefore, if we extract malicious URLs from spam emails and apply them into DNS sinkhole system, many of spam based attacks can be blocked. In this paper, we propose a methodology to enhance the capability of DNS sinkhole system by analyzing spam emails. Especially, we use double bounce emails, which do not have any valid sender and recipient addresses, as spam emails and extract malicious URLs from them. Our preliminary experimental results demonstrate that the existing domain blacklist of DNS sinkhole system is not effective. Thus, we design a new method collecting the malicious URLs from double bounce emails and show how new domain blacklist can be generated. With DNS sinkhole system using new domain blacklist, we will be able to early detect and block the latest malicious behaviors on the Internet.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. SANS Institute, Bots & Botnet: An Overview, http://www.sans.org/r-eading_room/whitepapers/malicious/bots-botnet-overview_1299

  2. Ianelli, N., Hackworth, A.: Botnets as a Vehicle for Online Crime. In: Proc. First Intl. Conf. Forensic Computer Science (2006)

    Google Scholar 

  3. Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proc. IEEE Symp. Security and Privacy (2004)

    Google Scholar 

  4. Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: characterizing Internet scam hosting infrastructure. In: Proc. the USENIX Security Symp. (2007)

    Google Scholar 

  5. SANS Institute, DNS Sinkhole, http://www.sans.org/reading_room/whi-tepapers/dns/dns-sinkhole_33523

  6. Song, J., Inoue, D., Eto, M., Suzuki, M., Hayashi, S., Nakao, K.: A Methodology for Analyzing Overall Flow of Spam-Based Attacks. In: Leung, C.S., Lee, M., Chan, J.H. (eds.) ICONIP 2009, Part II. LNCS, vol. 5864, pp. 556–564. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  7. Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical Correlation Analysis Between Scan and Malware Proles Against Zero-day Attacks Based on Darknet Monitoring. IEICE Transactions on Information and Systems E 92D(5), 787–798 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Science and Technology Security Center, Korea Institute of Science and Technology Information, 245 Daehak-ro, Yuseong-gu, DaeJeon, 350-806, Korea

    HeeSeok Kim, Sang-Soo Choi & Jungsuk Song

Authors
  1. HeeSeok Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sang-Soo Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jungsuk Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Kyungpook National University, 1370 Sankyuk-Dong, Puk-Gu, 702-701, Taegu, Korea

    Minho Lee

  2. The University of Tokyo, 7-3-1 Hongo, 113-8656, Bunkyo-ku, Tokyo, Japan

    Akira Hirose

  3. Key Laboratory of Complex Systems and Intelligence Science, Chinese Academy of Sciences, Institute of Automation, 100190, Beijing, China

    Zeng-Guang Hou

  4. Sungkyunkwan University, 2066, Seobu-ro, Jangan-gu,, 440-746, Suwon, Korea

    Rhee Man Kil

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, H., Choi, SS., Song, J. (2013). A Methodology for Multipurpose DNS Sinkhole Analyzing Double Bounce Emails. In: Lee, M., Hirose, A., Hou, ZG., Kil, R.M. (eds) Neural Information Processing. ICONIP 2013. Lecture Notes in Computer Science, vol 8226. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42054-2_76

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-42054-2_76

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-42053-5

  • Online ISBN: 978-3-642-42054-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation