2 June 2006
San Jose, CA
US/Pacific timezone

An Automated Incident Response System Using BIND Query Logs

Not scheduled
20m
San Jose, CA

San Jose, CA

Speaker

Mr John Kristoff

Description

At Northwestern University we built on top of an existing network status and incident management system by incorporating the use of BIND query logs as an input source of data. Using a blacklist of domain names that have been identified as servicing botnets as the locator for a command and control point, we setup a process to monitor queries on the institution's primary name servers to watch for accesses to these names. Using a set of Perl scripts and a simple sampling function we were able to issue timely alerts for a subset of suspect hosts to local administrators with a very low rate of false positives. This talk will discuss the history, implementation details and challenges of the system, which was recently shutdown after being run for a little over year in production.

Presentation materials