Charlatans' Web: Analysis and Application of Global IP-Usage Patterns of Fast-Flux Botnets

Abstract

Botnet-based hosting or redirection/proxy services provide botmasters with an ideal platform for hosting malicious and illegal content while affording them a high level of misdirection and protection. Because of the unreliable connectivity of the constituent bots (typically compromised home computers), domains built atop botnets require frequent updates to their DNS records, replacing the IPs of offline bots with online ones to prevent a disruption in (malicious) service. Consequently, their DNS records contain a large number of constantly-changing (i.e.. "fluxy") IPs. earning them the descriptive moniker of fast-flux domains when both the content and name servers are fluxy, double fast-flux domains. In this paper, we study the global IP-usage patterns exhibited by different types of malicious and benign domains, including single and double fast-flux domains. We have deployed a lightweight DNS-probing engine, called DIGGER, on 240 PlanetLab nodes spanning 4 continents. Collecting DNS data for over 3.5 months on a plethora of domains, our global vantage points enabled us to identify distinguishing behavioral features between them based on their DNS query results.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 06, 2011
Accession Number
ADA535046

Entities

People

  • Kang G. Shin

Organizations

  • University of Michigan

Tags

Communities of Interest

  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Artificial Intelligence
  • Computer Network Security
  • Computer Networks
  • Computer Science
  • Continents
  • Criminals
  • Data Mining
  • Detection
  • Detectors
  • Electronic Mail
  • Machine Learning
  • Network Protocols
  • Network Science
  • Networks
  • Personnel Management
  • Supervised Machine Learning
  • Test Sets

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Military Engineering.