A DNS-based sinkhole is a DNS server that responds to a query with a falsified result. Doing so with a malicious intent would classify as DNS spoofing. However, sinkholes have also been used for non-malicious purposes. For example, the command and control (C&C) channel of a botnet can be interrupted by locally deploying a sinkhole [1][2].
Besides actively scrubbing traffic, a potential application is to analyze network traffic to gain insights on cyberattacks [3]. For that, there is a lack of solutions that provide integrated sinkholing and traffic analysis features. The goal of this thesis is to integrate a configurable and easy to use DNS sinkhole into the SecGrid traffic analysis platform [4]. Depending on the type of thesis, we will evaluate the prototype by analyzing a cyberattack in a practical case study.
[1] WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
[2] Guy Bruneau, DNS Sinkhole: https://sansorg.egnyte.com/dl/DYUXN3hHdz/?
[3] Malware Statistics: https://www.govcert.admin.ch/statistics/malware/
[4] M. Franco et al., "Poster: DDoSGrid: a Platform for the Post-mortem Analysis and Visualization of DDoS Attacks" https://ieeexplore.ieee.org/document/9472850
Supervisors: Jan von der Assen
back to the main page