*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Characterizing Network Infrastructure Using the Domain Name System
Panagiotis Kintis
Ph.D. Candidate
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Thursday, October 1st, 2020
Time: 12 PM - 2 PM (ET)
Location: https://us02web.zoom.us/j/87871069114?pwd=eFIzTzFTZjU3MFRweTRTZm1sWFRSUT09
Committee:
------------------------
Dr. Emmanouil Antonakakis (Advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology)
Dr. Douglas Blough (Co-Advisor, School of Electrical and Computer Engineering, Georgia Institute of Technology)
Dr. Angelos Keromytis (School of Electrical and Computer Engineering, Georgia Institute of Technology)
Dr. Mustaque Ahamad (School of Computer Science, Georgia Institute of Technology)
Dr. Jonathan M. Smith (Department of Computer and Information Science, University of Pennsylvania)
Abstract
------------------------
From the early 90’s until the recent years we have seen a significant amount of protocols and applications being built on top of the Internet Protocol (IP). The ever growing use of off-the-shelf solutions and vertically integrated software is quickly transforming the Inter- net to an end-to-end encrypted network. This creates a great burden on security applications and the security industry as a whole, which rely on techniques like Deep Packet Inspection (DPI) to secure networks. However, the Domain Name System (DNS), the Internet’s phone book, is still available to the security community for both research and applied security. At the same time, DNS monitoring is less invasive, since it is separate from applications using it, preserving the privacy level encryption attempts to set. Hence, DNS is expected to be available to security applications for the foreseeable future and can still be used to reason about the IP even though encryption may make the underlying data unavailable to network security solutions.
This thesis shows how to actively query domain names in order to assist in detecting security threats and provide context around Internet Protocol addresses. Specifically, it introduces the Active DNS data, a public dataset that maps almost 70% of the registered domain names to IP addresses from 75% of the Top Level Domains (TLDs) in an active and scalable fashion, as an alternative to extensively used passive DNS datasets. Moreover, this thesis, describes problems faced after operating the Active DNS data generation system for almost five years and how architectural changes improved system availability, reliability, and scalability. Finally, it demonstrates the value in the Active DNS data by performing the first large scale study of Combosquatting, an attack technique that utilizes over 2.1M domain names, resolved more than 10B times per day, and attempts to hide malicious activity in at least seven different types of online abuse.
