DNS query failure and algorithmically generated domain-flux detection

摘要

Botnets are now recognized as one of the most serious security threats. Recent botnets such as Conficker, Murofet and BankPatch have used domain flux technique to connect to their command and control (C&C) servers, where each Bot queries for existence of a series of domain names used as rendezvous points with their controllers while the owner has to register only one such domain name. The large number of potential rendezvous points makes it difficult for law enforcement to effectively shut down botnets. In this paper we present our methodology for detecting algorithmically generated domain flux. Our detection method is based on DNS query failures resulting from domain flux technique. We process the network traffic, particularly DNS traffic. We analyze all DNS query failures and propose a threshold for DNS query failures from the same IP address. We applied our methodology on packet capture (pcap) file which contains real and long-lived malware traffic and we proved that our methodology can successfully detect domain flux technique and identify the infected host. We also applied our methodology on campus live traffic and showed that it can automatically detect domain flux technique and identify the infected host in the real time.