An FPGA-Based Malicious DNS Packet Detection Tool

被引:0
|
作者
Thomas, Brennon [1 ]
Mullins, Barry [1 ]
机构
[1] USAF, Inst Technol, Wright Patterson AFB, OH 45433 USA
关键词
DNS; FPGA; Virtex; exfiltration; botnet; tunnel;
D O I
暂无
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Billions and billions of packets traverse government and military networks every day. Often, these packets have legitimate destinations such as buying a book at amazon. com or downloading open source code using a File Transfer Protocol program. Unfortunately, the past few years have seen a massive increase in malicious, illegal, and suspicious traffic. One example is abusing the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels, or control botnets. To counter this abuse and provide better incident detection, a physical hardware system is under development to detect these suspicious DNS packets. The system is constructed on a Xilinx Virtex-II Pro Field Programmable Gate Array (FPGA) and is based on a system originally developed to detect BitTorrent and Voice over Internet Protocol packets of interest. The first iteration prototype is limited in both processing speed (300 MHz) and by a 100 Mbps Ethernet interface. Despite the hardware shortfalls, preliminary experiments are promising for the system. The system inspects each packet, determines if it is a DNS packet, compares the first four characters of the lowest level domain against a DNS whitelist, and if the domain is not allowed, logs it for further analysis. The first experiment resulted in 100% malicious packet detection under an 88 Mbps network utilization. In the experiment, 50 malicious DNS packets were sent at one second intervals while the network was flooded with NetBIOS traffic. The second experiment resulted in an average of 91% malicious packet detection under an 88.7 Mbps network utilization. In the experiment, 2000 malicious DNS packets were sent as fast as possible while the network was flooded with non-malicious DNS traffic. For both experiments, DNS whitelist sizes of 1K, 10K, and 100K were used. Future work will focus on transferring the system to the Virtex-5 FPGA which contains a 550 MHz processor and a 1 Gbps Ethernet interface. In addition, the DNS whitelist size will be increased until the system fails to detect 50% of packets of interest. The goal is to determine if the system can be scaled to gigabit network speeds while also handling larger DNS whitelist sizes. The system seeks to aid network defenders in identifying and tracking malicious DNS packets traversing government networks while also providing better incident response awareness.
引用
收藏
页码:337 / 342
页数:6
相关论文
共 50 条
  • [1] FPGA-based static analysis tool for detecting malicious binaries
    Guinde, Nitesh B.
    Tang, Xin
    Sutaria, Ronak
    Ziavras, Sotirios G.
    Manikopoulos, Constantine N.
    [J]. 2010 2ND INTERNATIONAL CONFERENCE ON COMPUTER AND AUTOMATION ENGINEERING (ICCAE 2010), VOL 2, 2010, : 639 - 643
  • [2] An FPGA-based Priority Packet Queues
    Smekal, David
    Nemeth, Frantisek
    Dvorak, Jan
    [J]. IFAC PAPERSONLINE, 2019, 52 (27): : 377 - 381
  • [3] Packet Filtering for FPGA-Based Routing Accelerator
    Antos, David
    Rehak, Vojtech
    Holub, Petr
    [J]. CESNET CONFERENCE 2006: FIRST CESNET CONFERENCE ON ADVANCED COMMUNICATIONS AND GRIDS, 2006, : 161 - 173
  • [4] Enhancing Detection of Malicious Traffic Through FPGA-Based Frequency Transformation and Machine Learning
    Hu, Zhenguo
    Hasegawa, Hirokazu
    Yamaguchi, Yukiko
    Shimada, Hajime
    [J]. IEEE ACCESS, 2024, 12 : 2648 - 2659
  • [5] Realization of FPGA-based Packet Classification in Embedded System
    Wang Yong-gang
    Zhang Tao
    Zheng Yu-feng
    Yang Yang
    [J]. I2MTC: 2009 IEEE INSTRUMENTATION & MEASUREMENT TECHNOLOGY CONFERENCE, VOLS 1-3, 2009, : 911 - 915
  • [6] FPGA-based testbed for packet switch performance measurement
    Abdo, Ahmad
    Hall, Trevor
    [J]. 2006 IEEE INSTRUMENTATION AND MEASUREMENT TECHNOLOGY CONFERENCE PROCEEDINGS, VOLS 1-5, 2006, : 347 - +
  • [7] An FPGA-Based Change-Point Detection for 10Gbps Packet Stream
    Iwata, Takuma
    Nakamura, Kohei
    Tokusashi, Yuta
    Matsutani, Hiroki
    [J]. IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, 2019, E102D (12) : 2366 - 2376
  • [8] Exploiting Packet-Level Parallelism of Packet Parsing for FPGA-Based Switches
    Li, Junnan
    Han, Biao
    Sun, Zhigang
    Li, Tao
    Wang, Xiaoyan
    [J]. IEICE TRANSACTIONS ON COMMUNICATIONS, 2019, E102B (09) : 1862 - 1874
  • [9] Cosimulation tool for FPGA-based algorithm validation
    Lienhardt, A. -M.
    Gateau, G.
    Meynard, T. A.
    [J]. 2006 IEEE INTERNATIONAL CONFERENCE ON INDUSTRIAL TECHNOLOGY, VOLS 1-6, 2006, : 2007 - +
  • [10] Clustering Malicious DNS Queries for Blacklist-Based Detection
    Satoh, Akihiro
    Nakamura, Yutaka
    Nobayashi, Daiki
    Sasai, Kazuto
    Kitagata, Gen
    Ikenaga, Takeshi
    [J]. IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS, 2019, E102D (07) : 1404 - 1407