Detect Fast-Flux Domains Through Response Time Differences

A fast-flux service network (FFSN) uses dynamic DNS to map a dynamic domain, called fast-flux domain (FF domain), to various IP addresses and uses flux bots to redirect network traffic. Due to its powerful capability to conceal the hosts hidden behind the flux bots, FFSNs are widely adopted by attackers to cover various scams. Although diverse promising solutions have been proposed to detect FF domains, they face the same problem-different countermeasures could be used to bypass their detection. Hence, it becomes a critical issue to develop a new detection solution. According to our survey, unlike normal network services that use dynamic DNS to balance the workloads of their hosts, FFSNs utilize dynamic DNS to hide important bots. As a result, the response time of subsequent requests to an FF domain becomes more fluctuating. Based on the response time differences, this paper develops a new metric, Fast-Flux Score (FF-Score), to detect FF domains. Our system, called fast-flux domain detector (FFDD), is used on a computer that could be an end host or an IDS. A user with a set of unknown URLs, which may be obtained from spam or social networks, can simply determine whether they are benign domains or fast-flux ones using FFDD. Experimental results show that FFDD can accurately detect FF domains with only a 0.3% false positive rate and a 2% false negative rate. It takes less than 20 min for FFDD to determine whether a domain is an FF domain. In addition, FFDD is a lightweight stand-alone system; hence, it does not require special support from an ISP or any other network service.