Monitoring a Fast Flux botnet using recursive and passive DNS: A case study

被引:0
|
作者
Mahjoub, Dhia [1 ]
机构
[1] OpenDNS, Umbrella Secur Labs, San Francisco, CA 94107 USA
来源
2013 ECRIME RESEARCHERS SUMMIT (ECRS) | 2013年
关键词
fast flux; botnet; Kelihos; real-time; passive DNS;
D O I
暂无
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
Fast flux, an evasion technique that has been around for years, continues to be widely used by cybercriminals today. In this case study, we describe a real-time monitoring and detection system that leverages recursive and passive DNS to track the Kelihos fast flux botnet. We track how the botnet grows its population of infected hosts, and detect, in real-time, the newest Kelihos fast flux domains that are being hosted by the botnet. Our analysis will present results on various components and attributes of the infrastructure leveraged by the Kelihos fast flux botnet. These include: domain TLD distribution, botnet geo-distribution, botnet daily cycles, distribution of operating systems used by the botnet machines, daily-discovered fast flux domains, domain and IP lifetime distribution, as well as specific examples of usage that highlight malicious campaigns.
引用
收藏
页数:9
相关论文
共 50 条
  • [1] Identifying Fast-Flux Botnet With AGD Names at the Upper DNS Hierarchy
    Zang, Xiao-Dong
    Gong, Jian
    Mo, Shao-Huang
    Jakalan, Ahmad
    Ding, De-Lin
    IEEE ACCESS, 2018, 6 : 69713 - 69727
  • [2] CROFlux -Passive DNS Method for Detecting Fast-Flux Domains
    Grzinic, Toni
    Perhoc, Darko
    Maric, Marko
    Vlasic, Filip
    Kulcsar, Tibor
    2014 37TH INTERNATIONAL CONVENTION ON INFORMATION AND COMMUNICATION TECHNOLOGY, ELECTRONICS AND MICROELECTRONICS (MIPRO), 2014, : 1376 - 1380
  • [3] CROFlux - Passive DNS method for detecting fast-flux domains
    20143718152448
    (1) Croatian Academic and Research Network - National, CERT, Croatia, 1600, Ericsson Nikola Tesla Zagreb; et al.; HEP - Croatian Electricity Company Zagreb; InfoDom Zagreb; Koncar-Electrical Industries Zagreb; T-Croatian Telecom Zagreb (IEEE Computer Society):
  • [4] Global Internet Monitoring Using Passive DNS
    Dagon, David
    Lee, Wenke
    CATCH 2009: CYBERSECURITY APPLICATIONS AND TECHNOLOGY CONFERENCE FOR HOMELAND SECURITY, PROCEEDINGS, 2009, : 163 - 168
  • [5] Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
    Perdisci, Roberto
    Corona, Igino
    Dagon, David
    Lee, Wenke
    25TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, 2009, : 311 - +
  • [6] Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic
    Lombardo, Pierangelo
    Saeli, Salvatore
    Bisio, Federica
    Bernardi, Davide
    Massa, Danilo
    INFORMATION SECURITY (ISC 2018), 2018, 11060 : 463 - 480
  • [7] Botnet Attack Detection Using A Hybrid Supervised Fast-Flux Killer System
    Al-Nawasrah, Ahmad
    Almomani, Ammar
    Al-Issa, Huthaifa A.
    Alissa, Khalid
    Alrosan, Ayat
    Alaboudi, Abdulellah A.
    Gupta, Brij B.
    JOURNAL OF WEB ENGINEERING, 2022, 21 (02): : 179 - 201
  • [8] Detection of Fast-Flux Networks Using Various DNS Feature Sets
    Celik, Z. Berkay
    Oktug, Serna
    2013 IEEE SYMPOSIUM ON COMPUTERS AND COMMUNICATIONS (ISCC), 2013,
  • [9] Fast Flux Botnet Detection Framework using Adaptive Dynamic Evolving Spiking Neural Network Algorithm
    Al-Nawasrah, Ahmad
    Al-Momani, Ammar
    Meziane, Farid
    Alauthman, Mohammad
    2018 9TH INTERNATIONAL CONFERENCE ON INFORMATION AND COMMUNICATION SYSTEMS (ICICS), 2018, : 7 - 11
  • [10] Real-time Malicious Fast-flux Detection Using DNS and Bot Related Features
    Martinez-Bea, Sergi
    Castillo-Perez, Sergio
    Garcia-Alfaro, Joaquin
    2013 ELEVENTH ANNUAL INTERNATIONAL CONFERENCE ON PRIVACY, SECURITY AND TRUST (PST), 2013, : 369 - 372
12345