LEWIS II - Collection of Passive DNS and Network Telescope Data

Principal Investigator: Prof. Peter Ryan
Funding source(s): Ministry of Economy and Foreign Affairs

Passive DNS was invented by Florian Weimer at the University of Stuttgart [3], and his system has been collecting data ever since 2004. The basic idea is to monitor DNS response traffic, discard the identity of who was requesting a name lookup, and then record the DNS answers into a database. This approach is privacy-preserving, but permits the reverse-engineering (into a local repository) of the actively consulted part of the distributed DNS database.

Passive DNS databases have turned out to have numerous applications in identifying and tracking malware, botnets, phishing, email spam and so forth. For example, the main phishing gang currently hosts their fake banking webpages on a botnet, so that hosting machines are hard to remove – it is necessary to have the domain name cancelled. However, the gangs are foolish enough to host all their domains on a small number of servers, and so passive DNS means that newly minted domains can be detected just as soon as a lookup is done on them.

Besides tackling abuse, passive DNS is invaluable in providing lists of active hosts. Many research topics involve checking a small number of hosts for some property and then extrapolating the results to the whole Internet. Using a list that correctly reflects which hosts are actively in use can help to ensure that the extrapolation step has proper statistical significance.