Detection of Fast-Flux Botnets Through DNS Traffic Analysis

Abstract

Botnets are networks build up of a large number of bot computers which provide the attacker with massive resources such as bandwidth, storage, and processing power. In turn allowing the attacker to launch massive attacks such as Distributed Denial of Service (DoS) attacks, or undertake spamming or phishing campaigns. One of the main approaches for botnet detection is based on monitoring and analyzing DNS query/responses in the network, where botnets make their detection more difficult by using techniques such as fast-fluxing. Moreover, the main challenge in detecting fast-flux botnets arises from their similar behavior with that of legitimate networks, such as CDNs, which employ a round-robin DNS technique. In this paper, we propose a new system to detect fastflux botnets by passive DNS monitoring. The proposed system first filters out domains seen in historical DNS traces assuming that they are benign. We believe this assumption to be valid as benign domains usually have longer life time when compared to botnet domains, which are usually short lived. Hence CDN domains which are the main cause of miss-classification, when looking for malicious fast-flux domains, are removed. Afterwards, a few simple features are calculated to help in properly categorizing the domains in question as either benign or botnet related. The proposed system is evaluated by employing DNS traces from our campus network and encouraging evaluation results are obtained.