Skip to content

Add Warden reporting capabilities to PassiveDNS

In addition to interactive work by a researcher and automated data acquisition by dependent machine systems (like NERD), the PassiveDNS system could be used to directly report security incidents to the Warden sharing infrastructure. The requisite for that is that suitable analytic mechanism are developed, but also the underlying interfacing work.
There are two natural exit points from PassiveDNS to Warden:

  1. The pdns_importer for stream processing tasks. Contrary to popular opinion there is enough headroom in importer to do further analytic processing and potentially reporting. Of course architectural limitations apply, the analytics should not require interaction between workers as that is not currently possible and would kill the performance, and the processing should require very little RAM (as there are many workers and because of the memory reclaim issues that current cpython implementations have). The valid candidates here are the attacks using invalid or malformed requests.
  2. The pdns_bgcalc for deeper analytics on the stored data as a whole. Valid candidates are the outcome of phishing detector, the planned bitcoin miner detection tool and similar high level analytics.

Author: Radko Krkoš krkos@cesnet.cz