An Fpga-based System for Detecting Malicious Dns Network Traffic

Billions of packets traverse computer networks every day. Often, these packets have legitimate destinations such as buying a book at amazon.com or streaming a video. Unfortunately, malicious and suspicious network traffic continues to plague the Internet. One example is abusing the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels, or control botnets. To counter this abuse and provide better incident detection, a forensic tool is developed to detect suspicious DNS traffic. The forensic tool is derived from the TRacking and Analysis for Peer-to-Peer (TRAPP) system, developed in 2008, to detect BitTorrent and Voice over Internet Protocol (VoIP) traffic of interest. Using concepts and technology developed for the TRAPP system, the new TRAPP-2 system forensic tool is constructed on a Xilinx Virtex-5 ML510 Field Programmable Gate Array (FPGA) board. The TRAPP-2 system detects a DNS packet, extracts the payload, compares the data against a hash list and, if the packet is suspicious, logs the entire packet for future analysis. The goal of this research is to evaluate the performance of the TRAPP-2 system as a solution to detect and track malicious DNS packets traversing a gigabit Ethernet network. Results show that the TRAPP-2 system captures 91.89% of DNS packets of interest while under a 93.7% network load (937 Mbps). In another experiment, the hash list size is increased from 1,000 to 131,072,000 unique items and reveals that each doubling of the hash list size results in a mean increase of approximately 16 central processing unit cycles. These results demonstrate the TRAPP-2 system’s ability to detect traffic of interest under a saturated network while maintaining large hash lists.