Yes, it makes it your goal a lot clearer. I was wondering where you were
going with your question. I think you're on the right track in that DNS
can be good at detecting malware and bot track on your network. I don't
think it's going to be practical to ask the top few dynamic DNS
providers to monitor requests from our IP addresses. They would
probably be willing to sell it as a service, but it wouldn't catch the
more sophisticated bots that use their own DNS servers. In particular
I'm thinking about fast flux networks that honeynet wrote about in 2007
http://honeynet.org/papers/ff They recommended passive DNS monitoring
as a way of detecting these bot nets, and several other papers have been
written on it such as
http://www.caida.org/workshops/wide/0707/slides/bojan.pdf and
http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf
Of course DNS monitoring your network could also catch any external
authoritative DNS responses that had your own IP addresses in it, which
is likely to be of interest.
-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant
http://rd1.net
Adrian Crenshaw wrote:
Thanks Tim, hope your explanation makes it more clear. I've read about
some malware/bots using dynamic DNS provider to map names for the sake
of convenience, and some employees may set up unauthorized services on
their work box, I figured this sort of tool would help find them.
Adrian
On Fri, Jun 26, 2009 at 1:59 PM, Tim Krabec <[email protected]
<mailto:[email protected]>> wrote:
I was origionally confused by what Irongeek wanted.
He wants to know if/when any IPs in his office/company show up in
a dynamically assigned domain/ip
ie
Irongeeks company range 192.168.1.5-15
he wants to be able to chec abcDynamics
for his IP's
ie bot327.abcDynamics.com <http://bot327.abcDynamics.com> is
pointing to 192.168.1.6
I think this is could be another awesome tool/resource. It would
probably require cooperation with the dynamic IP providers.
--
Tim Krabec
Kracomp
772-597-2349
smbminute.com <http://smbminute.com>
kracomp.blogspot.com <http://kracomp.blogspot.com>
www.kracomp.com <http://www.kracomp.com>
_______________________________________________
Pauldotcom mailing list
[email protected] <mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
------------------------------------------------------------------------
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
