CyLab/CERT Seminar: Ron Bandes and Jonathan Spring

Time: August 12, 2009 - 10:00 AM - 12:00 PM

Location: Distributive Education Center @CIC (first floor of the CIC Building)


Please plan to attend a presentation hosted by computer science students Ron Bandes and Jonathan Spring, who are currently interning with the Software Engineering Institute's Cyber Threat and Vulnerability Analysis Teams.


The Domain Name Server (DNS) protocol is used to exchange various types of information about hosts and domains across the Internet, even though it is predominantly used to find addresses of hosts. DNS analysis is often shallow, however thanks to the availability of a new data feed organized by the Security Information Exchange (SIE) of the Internet Systems Consortium (ISC), we have been able to perform some more in-depth analyses using DNS traffic. The data feed is collected at various points throughout the Internet using a specially designed program, Ncaptool, and is retransmitted and received using the same. A significant part of our work has been to understand and upgrade Ncaptool to facilitate our analysis. The two courses of research upon which DNS analysis is found to be most fruitful are passively mapping out domain infrastructure and evaluation of anti-phishing groups' speed in including phishing sites on their block list after the phishing site goes live. The concept of domain mapping is proven and the future uses of the approach are discussed. The anti-phishing group analyzed is found to do fairly well in its endeavor; however the data is still preliminary. The future of this work will be discussed, as well as briefly touching on using the DNS data for other analyses, as related to such things as distributed denial of service (DDoS) attacks.

Speaker: Ron Bandes and Jonathan Spring