Speaker
Mr
John Kristoff
Description
At Northwestern University we built on top of an existing network
status and incident management system by incorporating the use of
BIND query logs as an input source of data. Using a blacklist of
domain names that have been identified as servicing botnets as the
locator for a command and control point, we setup a process to
monitor queries on the institution's primary name servers to watch
for accesses to these names. Using a set of Perl scripts and a
simple sampling function we were able to issue timely alerts for a
subset of suspect hosts to local administrators with a very low
rate of false positives. This talk will discuss the history,
implementation details and challenges of the system, which was
recently shutdown after being run for a little over year in
production.
