SaTC: CORE: Medium: Large-Scale Characterization of DNS Abuse
University Of California-San Diego, La Jolla CA
Investigators
Abstract
The domain name system (DNS) is one of the most critical pieces of Internet infrastructure in use today. It underlies how we name nearly all Internet resources, such as "nsf.gov", and its correct operation is implicitly assumed both by end users and in the design of many important applications such as email and the World Wide Web. Unfortunately, DNS is also abused in a wide variety of ways to support criminal activities such as spam, phishing, fraud, and host compromise. The goal of this research is to develop infrastructure for the comprehensive and frequent auditing of the domain name system as a basis for discovering and understanding the impact of abuse and attacks on the health of the DNS and the Internet as a whole, and how changes in the domain name system facilitate new kinds of abuse and attacks. Given the indiscriminate nature of Internet abuse, ensuring the vitality of the DNS ecosystem can positively benefit virtually all Internet users. The project itself will also create educational opportunities for students at a variety of levels, expanding the research skills of postdoc, graduate, and undergraduate students. This research will perform large-scale measurement of many sources of data which, when combined, will provide a global perspective on the health of the DNS, and develop analysis techniques for scalably identifying and characterizing the nature of DNS abuse. We will comprehensively survey DNS to capture the bindings of all key records. We will crawl registered domains in all top-level domains for which we can obtain data, and regularly repeat this survey over time to look for changes. We will scan resources linked to domains, including Web sites, mail servers, login and application servers, any certificates that they provide, linked registration records, results of search engine queries and contemporaneous data from both a range of threat intelligence and passive DNS feeds. We will perform such measurements from a variety of geographically diverse IP addresses to capture differences due to national DNS infrastructure and cache poisoning attacks. We will build tools to process this considerable amount of data to efficiently identify changes in DNS mapping state and characterize abusive behavior. Finally, we will produce an overall analysis of DNS abuse Internet-wide, as revealed by our measurements, in which we capture the prevalence of different kinds of abuse, and what the abusers are using it for.
View original record on NSF Award Search →