If we see a relatively high number of queries for MX records from IP address ranges that are not supposed to send e-mail, we could notify the Spamhaus Project or the public security intelligence provider. They could, however, use the Entrada system to detect suspicious queries coming from their customers and directly relate these activities to the IP addresses of their users.Īn example application of Entrada that we are working on involves connecting our system to the anti-spam lists published by the Spamhaus Project. We estimate that 99.6 percent of the queries we receive come from shared caching resolvers run by DNS service providers and Internet Access Providers.īecause of this organisation of the DNS infrastructure, access providers have a more detailed view, though only a local one. They run caching name servers for their customers, and these servers hide most of the user population from us. As a registry we have a global view, and we see mostly queries from large service providers like Google Public DNS and Internet Access Providers ( IAPs). increase the safety of the (Dutch) Internet, andĭetecting DNS queries from malicious systems is one thing finding out who is behind these queries is far more difficult, Wullink says.It provides a platform that allows us to evaluate Big Data applications to: Entrada was specifically developed to find such requests, which requires a system that is able to analyse large volumes of network data. Most of these queries are legit, but some of them come from botnets or are the result of other malicious activities. We process about 1.3 billion DNS queries per day, says Maarten Wullink, Research Engineer at SIDN Labs and technical lead for the Entrada project. As such, SIDN calls itself a private foundation with a public task. It is responsible for administering of 5.6 million domain names, registered through about 1400 registrars. nl top-level domain ( TLD) of the Netherlands. That implies that there are many other registries and DNS operators who will probably detect much more malicious activity using Entrada than we do. Generally, top-level domains become less secure as registration become cheaper. That is another reason why sharing this software is a good idea. nl domain is one of the safest top-level domains out there. It fights botnets by collecting information about infected computers and sharing this with the associated access providers. AbuseHUB is a collaboration of seven Dutch access providers, SIDN and SURFnet. We share this information with AbuseHUB, who passes it on to the appropriate Internet Access Provider. One of the applications we have developed is the resolver reputation service, which automatically detects botnet clients. We have conducted many analyses using Entrada. Analysis of this information allows the registry to detect botnets, pop-up/burner domains to sell stolen, fake or illegal goods and drugs, and other malicious clients. The deployment at SIDN Labs stores about 145 billion records containing information on the DNS queries received by the authoritative name servers of the. nl domain, Entrada makes the (Dutch) Internet a safer place. By increasing the security and stability of the. Entrada - an acronym for ENhanced Top-level domain Resilience through Advanced Data Analysis - is an experimental Big Data platform specifically developed for building applications to detect botnets and other malicious systems. The R&D team of the Dutch Internet domain name registry SIDN has recently made its Entrada platform available as open source.
0 Comments
Leave a Reply. |