Revealing Botnet Membership Using DNSBL Counter-Intelligence
Botnets-networks of (typically compromised) machines-are often used for nefarious activities (e.g., spam, click fraud, denial-of-service attacks, etc.). Identifying members of botnets could help stem these attacks, but passively detecting botnet membership (i.e., without disrupting the operation of the botnet) proves to be difficult. This paper studies the effectiveness of monitoring lookups to a DNS-based BLackhole list (DNSBL) to expose botnet membership. The authors perform counter-intelligence based on the insight that botmasters themselves perform DNSBL lookups to determine whether their spamming bots are blacklisted.