[RPZ] RPZ as a malware detection tool

Hugo Maxwell Connery hmco at env.dtu.dk
Mon Dec 10 13:04:50 UTC 2012


This mail is informational, rather than a request for assistance.

I last mailed to this list many months ago.  Since then I have
implemented RPZ with data provided by Spamhaus and now have
several months of real data from both caching resolvers and a 
walled garden (i.e we use a CNAME redirect as RPZ policy).

Access to real data is, of course, the key.  From what I have seen:

* lots of potentially nasty network interaction has been prevented

* use of the 'local' (hand crafted) zone has provided some protection
  against targeted phishing attacks

* infected systems can be identified either by volume of query or
  timing analysis

The last point is about either just amount of queries, or a pattern 
in time of queries, and neither is dependent upon the domain queried,
but merely that it is listed amongst the domains that are identified
as dangerous within RPZ.

Another possibility, focusing specifically on the actual domain names,
occurs to me.

The HoneyNet project (and other malware analysis engines) may
be able to identify and publish the domains to which malware is 
attempting to communicate.

Due to the rapid nature of the RPZ / IXFR transfer process, this 
identification of domains that are hosting some form of botnet C&C,
could be published for use by RPZ enabled caching resolvers.

The origin of RPZ seems to have been a frustration by P. Vixie in 
sink holing a botnet.  There seems a possibility with the use of 
malware analysis engines to not just forward block pattern based
domain usage, but to identify quickly the actual domains in use by
botnets and for that information to then rapidly be made available to RPZ
enabled caching resolvers via the RPZ / IXFR mechanism.

I would be interested in hearing about what others are doing in this
area of research (RPZ as a mechanism for malware identification).

My project is hosted at:


Useful pictorial overview of what my approach is at:


I look forward to hearing for other interested persons.

Regards,  Hugo Connery
Department of Environmental Engineering
Technical University of Denmark

More information about the DNSfirewalls mailing list