DOCSLIB.ORG

Using the Domain Name System for System Break-Ins

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Using the Domain Name System for System Break-Ins The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995. Using the Domain Name System for System Break-ins Steven M. Bellovin AT&T Bell Laboratories For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL: http://www.usenix.org Using the Domain Name System for System Breakins Steven M Bellovin smbresearchattcom ATT Bel l Laboratories Abstract recommendations to software develop ers and system administrators Throughout this pap er we fo cus on the problem The DARPAInternet uses the Domain Name Sys as it applies to Berkeleys remote login and remote tem DNS a distributed database to map host shell services Wemention these sp ecically b ecause names to network addresses and viceversa Using they are ubiquitous and the source co de is read a vulnerability rst noticed byPV Mo ckap etris we ily available Almost certainlyany other network demonstrate how the DNS can b e abused to sub services that rely on host names for authentication vert system securityWe also show what to ols are would b e vulnerable This probably includes vari useful to the attacker Possible defenses against this ous implementations of remote or networked le sys attack including one implemented by Berkeley in re tems sp onse to our rep orts of this problem are discussed and the limitations on their applicability are demon strated The Domain Name System This paper was written in and was withheld from publication by the author The body of the paper The DNS is a distributed data base used to map is unchanged even to the extreme of giving the size host names to IP network layer addresses and of the Internet as hosts An epilogue has viceversa The name space is divided intoase been added that discusses why it was held back and ries of zones based on syntactic separators p erio ds whyitisnowbeing released in domain names One or more servers contain the hzone Secondary author authoritative data for eac itativeservers p erio dically p oll the primary servers Intro duction for their zones if the data has changed they initiate zone transfer op erations to refresh their databases In an earlier pap er Bel we discussed a number of Atany level a server may delegate the authority security problems with the TCPIP proto col suite for a sub domain to a dierentserver Thus if there Many of them turned on the abilityofanintruder to is a server for a toplevel domain comitmay itself sp o of the IP address of a trusted machine In real contain the information for companies smallcom ity though hosts extend trust to other hosts based and smallercom but delegate the resp onsibilityfor on their names not their addresses an attack er who monolithcom to one or more of that companys ma can sp o of a hosts name can ignore the more di chines In fact servers for a domain need not and cult problem of faking its IP address Some attacks often will not reside within that domain along just these lines were mentioned in the earlier In general hosts that use the DNS maintain lo pap er In resp onse to it PV Mo ckap etris disclosed cal caches of the resourcerecords returned All re to us a more devastating attack based on the Domain source records contain a TimetoLive eld set by Name System DNS Mo cb Mo ca Herein we the creator at the end of that p erio d the cached utilize his observationstoinvade selected machines record must b e discarded and an authoritative and demonstrate which other to ols aided the attack server queried anew Let us consider as an example the information for Section provides a brief overview of the DNS zone smallcomasshown in Figure The server Section provides the details of some actual attacks contains a numb er of resource records Perio ds at The names and IP addresses of the target hosts have b een changed to protect the inno cent Section dis There are many other DNS records than those describ ed cusses defenses and shows why most of them are here We are mentioning only those that provide information necessary to understand the subsequent discussions limited in their scop e We conclude byproviding ORIGIN smallcom smallcom IN SOA serversmallcom ghuwssmallcom Serial Refresh Retry Expire Minimum TimetoLive IN NS server IN NS servertinycom server IN A IN HINFO Smallic SmallIx boss IN A IN HINFO Smallic SmallIx ws IN A IN HINFO Smallic SmallIx ws IN A IN HINFO Smallic SmallIx Define a subdomain salessmallcom sales IN NS thinkersalessmallcom IN NS ws droidsalessmallcom IN A IN A Figure The zone smallcom the end of some names indicate that they are abso tween the dierentnetworks lute and not relativetothe ORIGIN eld An omit Four hosts are dened within the domain server ted name eld from a record indicates that the name boss ws and ws According to the HINFO record of the previous record should b e used And the ubiq all of the hosts app ear to b e Small Incs own com uitous IN eld indicates that the records b elong to puters and op erating system the Internet domain the DNS is capable of storing A DNS query may request a record of a particular information ab out many dierenttyp es of networks typ esayanA recordor it may ask for all records p ertaining to a given name A resp onse may con The SOA record denes the Start of Authority for tain just the answers desired a p ointer to the prop er the zone Primarily a glue record it contains two server if the information is not contained within this hine that is the elds of interest to us here the mac zone or an error indication if the record requested denitive source of the information in the zone and do es not exist the electronic mail address in a variant form of the p erson resp onsible Note incidentally that the SOA If appropriate an answer mayalsocontain Ad record also contains the minimum expiration time ditional Information Supp ose a query were sent for any resource records within the zone to the smallcom server asking for the address of crittersalessmallcom The reply would con The NS records dene the authoritativename tain not just the NS record for salessmallcom servers for the domain smallcom Similar NS but also the A record for that server records must b e in the server for the com domain so that inquiries may b e directed to the prop er place In addition the parent domain must contain A ad Inverse Mapping Domains dress records for all servers for its sub domains This is illustrated by the records for salessmallcoma The records describ ed ab ove suce for forward sub domain under separate administration queries where the client has a machine name and A host with more than one network interface will wishes to lo ok up the IP address However ordi normally havemultiple A records asso ciated with it nary DBMSstyle inverse queries to map addresses Such hosts are often but not always gateways b e into names do not work The reason why is a bit subtle Certainly one chine History demonstrates that b oth p ossibilities could ask any given server whichmachine corre are real sp onded to the address Unfortu The attackers goal is to nd hosts that trust other nately that server would b e unlikely to knowthe hosts using their names and to learn the names answer Nor without more information could the of some of those trusted partners While random client knowwhich server to query The DNS is a patterns of trust can and do exist a more fruit distributed database with b oundaries delimited by ful approachistolookfortwo common patterns host name syntax IP addresses contain no clues to hines each First in a cluster of timesharing mac this organization of the machines is likely to extend blanket trust to Instead inverse mappings are implemented bya the others Even if that do es not apply to the gen separate parallel tree keyed by IP address To eral user p opulation it probably do es apply to the systems programming and op erational stas Sec mimic the structure of IP addresses and hence the fashion in which they are assigned to administrators ond the attacker can lo ok for le servers and their the individual bytes of the address are reversed A workstations The le servers sometimes trust their standard sux is app ended to avoid name collisions clients serving as a source of extra CPU cycles Fur with forward mappings Thus the addresstoname thermore if the clients are dataless they will fre mapping for host wswhich has an IP address of quently trust an administrativemachine to p ermit would b e handled by a server for zone software maintenance inaddrarpa Its database with glue In the following examples we will assume that the records omitted lo oks like this target organization has the following machines Name IP Address Type ORIGIN inaddrarpa bullseyesoftyorg le server IN PTR serversmallcom ringersoftyorg workstation IN PTR bosssmallcom groundzerosoftyorg workstation IN PTR wssmallcom All are running some derivative of bsd or bsd IN PTR wssmall com suchas SunOS and all trust each other via Each record contains only a p ointer to the forward etchostsequiv les mapping record Generallytheinverse mapping tree The attacker whom we shall dub Cuckoo in honor will reside on the same machine as the corresp ond of Cli Stolls b o ok Sto is coming from machine ing forward mapping tree but this is not a require crackerrittsorg ment Hosts with more than one address will have The essence of the basic attack relies on the na PTR records in more than one inverse mapping tree ture of the addresstoname mapping As noted ab ove this mapping uses an indep endent DNS tree Assume
Load more

Recommended publications
  • Characterizing Certain Dns Ddos Attacks
    CHARACTERIZING CERTAIN DNS DDOSATTACKS APREPRINT Renée Burton Cyber Intelligence Infoblox [email protected] July 23, 2019 ABSTRACT This paper details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, we discovered that current attacks have little resemblance to published descriptions and identify several previously unpublished features of the attacks. Through a combination of text and time series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small. 1 Introduction In the field of Cyber Security, there is a rich history of characterizing malicious actors, their mechanisms and victims, through the analysis of recovered malware1 and related event data. Reverse engineers and threat analysts take advantage of the fact that malware developers often unwittingly leave fingerprints in their code through the choice of libraries, variables, infection mechanisms, and other observables. In some cases, the Cyber Security Industry is able to correlate seemingly disparate pieces of information together and attribute malware to specific malicious actors. Identifying a specific technique or actor involved in an attack, allows the Industry to better understand the magnitude of the threat and protect against it.
    [Show full text]
  • Configuring DNS
    Configuring DNS The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname. The Cisco IOS software maintains a cache of hostname-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses. Note You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource record type AAAA is used to map a domain name to an IPv6 address. The IP6.ARPA domain is defined to look up a record given an IPv6 address. • Finding Feature Information, page 1 • Prerequisites for Configuring DNS, page 2 • Information About DNS, page 2 • How to Configure DNS, page 4 • Configuration Examples for DNS, page 13 • Additional References, page 14 • Feature Information for DNS, page 15 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
    [Show full text]
  • Adopting Encrypted DNS in Enterprise Environments
    National Security Agency | Cybersecurity Information Adopting Encrypted DNS in Enterprise Environments Executive summary Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. It is useful to prevent eavesdropping and manipulation of DNS traffic. While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration. Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information. The enterprise DNS resolver may be either an enterprise-operated DNS server or an externally hosted service. Either way, the enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.
    [Show full text]
  • Chapter 2. Application Layer Table of Contents 1. Context
    Chapter 2. Application Layer Table of Contents 1. Context ........................................................................................................................................... 1 2. Introduction .................................................................................................................................... 2 3. Objectives ....................................................................................................................................... 2 4. Network application software ....................................................................................................... 2 5. Process communication ................................................................................................................. 3 6. Transport Layer services provided by the Internet ....................................................................... 3 7. Application Layer Protocols ........................................................................................................... 4 8. The web and HTTP .......................................................................................................................... 4 8.1. Web Terminology ................................................................................................................... 5 8.2. Overview of HTTP protocol .................................................................................................... 6 8.3. HTTP message format ...........................................................................................................
    [Show full text]
  • Analysis of Malware and Domain Name System Traffic
    Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh A Thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at Concordia University Montréal, Québec, Canada July 2014 c Hamad Mohammed Binsalleeh, 2014 CONCORDIA UNIVERSITY Division of Graduate Studies This is to certify that the thesis prepared By: Hamad Mohammed Binsalleeh Entitled: Analysis of Malware and Domain Name System Traffic and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: Chair Dr. Christian Moreau External Examiner Dr. Nadia Tawbi Examiner to Program Dr. Lingyu Wang Examiner Dr. Peter Grogono Examiner Dr. Olga Ormandjieva Thesis Co-Supervisor Dr. Mourad Debbabi Thesis Co-Supervisor Dr. Amr Youssef Approved by Chair of the CSE Department 2014 Dean of Engineering ABSTRACT Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh Concordia University, 2014 Malicious domains host Command and Control servers that are used to instruct in- fected machines to perpetuate malicious activities such as sending spam, stealing creden- tials, and launching denial of service attacks. Both static and dynamic analysis of malware as well as monitoring Domain Name System (DNS) traffic provide valuable insight into such malicious activities and help security experts detect and protect against many cyber attacks. Advanced crimeware toolkits were responsible for many recent cyber attacks. In order to understand the inner workings of such toolkits, we present a detailed reverse en- gineering analysis of the Zeus crimeware toolkit to unveil its underlying architecture and enable its mitigation.
    [Show full text]
  • Internet Domain Name System
    IINNTTEERRNNEETT DDOOMMAAIINN NNAAMMEE SSYYSSTTEEMM http://www.tutorialspoint.com/internet_technologies/internet_domain_name_system.htm Copyright © tutorialspoint.com Overview When DNS was not into existence, one had to download a Host file containing host names and their corresponding IP address. But with increase in number of hosts of internet, the size of host file also increased. This resulted in increased traffic on downloading this file. To solve this problem the DNS system was introduced. Domain Name System helps to resolve the host name to an address. It uses a hierarchical naming scheme and distributed database of IP addresses and associated names IP Address IP address is a unique logical address assigned to a machine over the network. An IP address exhibits the following properties: IP address is the unique address assigned to each host present on Internet. IP address is 32 bits 4bytes long. IP address consists of two components: network component and host component. Each of the 4 bytes is represented by a number from 0 to 255, separated with dots. For example 137.170.4.124 IP address is 32-bit number while on the other hand domain names are easy to remember names. For example, when we enter an email address we always enter a symbolic string such as [email protected]. Uniform Resource Locator URL Uniform Resource Locator URL refers to a web address which uniquely identifies a document over the internet. This document can be a web page, image, audio, video or anything else present on the web. For example, www.tutorialspoint.com/internet_technology/index.html is an URL to the index.html which is stored on tutorialspoint web server under internet_technology directory.
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Proactive Cyberfraud Detection Through Infrastructure Analysis
    PROACTIVE CYBERFRAUD DETECTION THROUGH INFRASTRUCTURE ANALYSIS Andrew J. Kalafut Submitted to the faculty of the Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in Computer Science Indiana University July 2010 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements of the degree of Doctor of Philosophy. Doctoral Minaxi Gupta, Ph.D. Committee (Principal Advisor) Steven Myers, Ph.D. Randall Bramley, Ph.D. July 19, 2010 Raquel Hill, Ph.D. ii Copyright c 2010 Andrew J. Kalafut ALL RIGHTS RESERVED iii To my family iv Acknowledgements I would first like to thank my advisor, Minaxi Gupta. Minaxi’s feedback on my research and writing have invariably resulted in improvements. Minaxi has always been supportive, encouraged me to do the best I possibly could, and has provided me many valuable opportunities to gain experience in areas of academic life beyond simply doing research. I would also like to thank the rest of my committee members, Raquel Hill, Steve Myers, and Randall Bramley, for their comments and advice on my research and writing, especially during my dissertation proposal. Much of the work in this dissertation could not have been done without the help of Rob Henderson and the rest of the systems staff. Rob has provided valuable data, and assisted in several other ways which have ensured my experiments have run as smoothly as possible. Several members of the departmental staff have been very helpful in many ways. Specifically, I would like to thank Debbie Canada, Sherry Kay, Ann Oxby, and Lucy Battersby.
    [Show full text]
  • A Diversified Set of Security Features for XMPP Communication Systems
    International Journal on Advances in Security, vol 6 no 3 & 4, year 2013, http://www.iariajournals.org/security/ 99 A Diversified Set of Security Features for XMPP Communication Systems Useful in Cloud Computing Federation Antonio Celesti, Massimo Villari, and Antonio Puliafito DICIEAMA, University of Messina Contrada di Dio, S. Agata, 98166 Messina, Italy. e-mail: facelesti, mvillari, apuliafi[email protected] Abstract—Nowadays, in the panorama of Cloud Computing, Presence Protocol (XMPP), i.e., an open-standard commu- finding a right compromise between interactivity and security nications protocol for message-oriented middleware based is not trivial at all. Currently, most of Cloud providers base on the XML (Extensible Markup Language). On one hand, their communication systems on the web service technology. The problem is that both Cloud architectures and services the XMPP is able to overcome the disadvantages of web have started as simple but they are becoming increasingly services in terms of performance, but on the other hand complex. Consequently, web services are often inappropriate. it lacks of native security features for addressing the new Recently, many operators in both academia and industry are emerging Cloud computing scenarios. evaluating the eXtensible Messaging and Presence Protocol for In this paper, we discuss how the XMPP can be adopted the implementation of Cloud communication systems. In fact, the XMPP offers many advantages in term of real-time capa- for the development of secure Cloud communication sys- bilities, efficient data distribution, service discovery, and inter- tems. In particular, we combine and generalize the assump- domain communication compared to web service technologies. tions made in our previous works respectively regarding how Nevertheless, the protocol lacks of native security features.
    [Show full text]
  • Domain Name System System Work?
    What is the DNS? - how it works Isaac Maposa | Dev Anand Teelucksingh | Beran Gillen Community Onboarding Program | 11 March 2017 Agenda 1 2 3 What is the Domain Structure of the How does the Name System? Domain Name Domain Name System System Work? 4 5 6 Who makes the Stakeholders in the Engage with ICANN Domain Name Domain Name ??? System Work? System. | 2 What is the Domain Name System (DNS)? The Internet, what is it..? ● The Internet is a network of networks that interconnects devices to exchange information. ● In order to “talk” to each other, all of these devices must have a unique numerical address called an Internet Protocol address or IP Address. An example of an IP address is 94.127.53.132 ● When you visit a website from your browser, you are requesting the website from your device’s IP address to the web server’s IP address. ● However, you don’t type in the ip address of the web server, rather the domain name of for example www.google.com ● In so doing, you have queried the DNS. ● So what is this DNS???? | 4 What is the Domain Name System? ● The Domain Name System or DNS overcomes this problem of remembering IP addresses by mapping domain names to IP addresses. ● While this sounds like a phone book, it is not a centralised database. ● The DNS is a distributed database across a hierarchy of networks of servers and provide ways for devices and software (like browsers and email) to query the DNS to get an IP address. ● Domain names must be unique.
    [Show full text]
  • Iot Communications a 5G Smart Cities Case Study Approach
    1 End to End VANET/ IoT Communications A 5G Smart Cities Case Study Approach Melvin Hayes1 and Tamer Omar2 Department of Technology Management, Indiana State University Terre Haute 1 Department of Electrical and Computer Engineering, Cal-Poly Pomona 2 Email: [email protected], [email protected] Abstract—This paper investigates the infrastructure to vehi- in achieving end-to-end communications for IoT datum and cle and infrastructure to cloud connectivity and reliability in meta-data collection and dissemination platform for IoV. the vehicular ad hoc networks (VANET) area of Intelligent Transportation Systems (ITS). A key focus of this work is to Furthermore, this work highlights and investigates the role investigate protocols that will enhance real-time, robust and that Zero-Configuration a set of technologies that can auto- reliable communication methods, and complement autonomous vehicles’ navigation experiences within smart cities. The main matically creates a usable RSUs network based on the Internet areas of study include highway infrastructure that include the Protocol Suite to support the proposed end to end communi- Wireless Sensor Networks (WSN) to the Cloud (web service) and cations systems design. This work is predominately interested vice-versa. The pertinent cloud-based data will be communicated in the upper layers of the data communication protocols for to subscribed vehicles (with password access) to complete the the Internet of Things (IoT) harmonization of WSN devices V2I and I2V communication cycle. The data collected from the WSN is communicated to the cloud via XML over XMPP, that can be used for a Vehicular Ad-Hoc Network (VANET) zero configuration, and mDNS protocols.
    [Show full text]
  • Taxonomy and Adversarial Strategies of Random Subdomain Attacks
    Taxonomy and Adversarial Strategies of Random Subdomain Attacks Harm Griffioen and Christian Doerr Delft University of Technology, Cybersecurity Group Van Mourik Broekmanweg 6, Delft, The Netherlands fh.j.griffioen, [email protected] Abstract—Ever since the introduction of the domain name new type of attack gained some visibility when source code system (DNS), attacks on the DNS ecosystem have been a steady triggering it was discovered in a forensic analysis of the Mirai companion. Over time, targets and techniques have shifted, Internet-of-Things malware in 2016 [?], since then a number and in the recent past a new type of attack on the DNS has of actors have picked up this particular technique. emerged. In this paper we report on the DNS random subdomain attack, querying floods of non-existent subdomains, intended to Until now, very little is known how these attacks are cause a denial-of-service on DNS servers. Based on five major executed and exactly using which means. This paper intends to attacks in 2018 obtained through backscatter measurements in address this gap. Based on backscatter measurements through a a large network telescope, we show the techniques pursued by large network telescope, we observed the emergence of random adversaries, and develop a taxonomy of strategies of this attack. subdomain attacks over a period of three years and will in this paper make the following two contributions: Keywords—cyber threat intelligence, random subdomain attack, DNS, DDoS • We show the spectrum of different types of random subdomain attacks in use in the wild today based on I. INTRODUCTION five exemplary case studies, and use this to develop a taxonomy of random subdomain attacks.
    [Show full text]