CROFlux - Passive DNS method for detecting fast-flux domains
نویسندگان
چکیده
In this paper we present our approach to fast flux detection called CROFlux that relies on the passive DNS replication method. The presented model can significantly reduce the number of false positive detections, and can detect other suspicious domains that are used for fast flux. This algorithm is used and implemented in Advanced Cyber Defense Centre – a European project co-funded by the European Commission. Ovaj dokument je vlasništvo Nacionalnog CERT–a. Namijenjen je za javnu objavu, njime se može svatko koristiti, na njega se pozivati, ali samo u izvornom obliku, bez ikakvih izmjena, uz obvezno navođenje izvora podataka. Zabranjena je bilo kakva distribucija dokumenta u elektroničkom (web stranice i dr.) ili papirnatom obliku. Korištenje ovog dokumenta protivno gornjim navodima, povreda je autorskih prava CARNet–a, a sve sukladno zakonskim odredbama Republike Hrvatske. 1 Ovaj članak prezentiran je na međunarodnom znanstvenom skupu MIPRO 2014 i dostupan je putem poveznice http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6859782
منابع مشابه
Security Monitoring of DNS traffic
The Domain Name System (DNS) is a critical part of the Internet. This paper analyzes methods for passive DNS replication and describes the replication setup at the University of Auckland. Analysis of the replicated DNS traffic showed great dependency of collaborative anti-spam tools on the DNS. These tools also put a great burden on the DNS. This paper discusses analyzed anomalies in the replic...
متن کاملPassive Monitoring of DNS Anomalies
We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the dat...
متن کاملDetecting Active Bot Networks Based on DNS Traffic Analysis
Abstract—One of the serious threats to cyberspace is the Bot networks or Botnets. Bots are malicious software that acts as a network and allows hackers to remotely manage and control infected computer victims. Given the fact that DNS is one of the most common protocols in the network and is essential for the proper functioning of the network, it is very useful for monitoring, detecting and redu...
متن کاملDNS Traffic Analysis for Network-based Malware Detection
(English) Botnets are generally recognized as one of the most challenging threats on the Internet today. Botnets have been involved in many attacks targeting multinational organizations and even nationwide internet services. As more effective detection and mitigation approaches are proposed by security researchers, botnet developers are employing new techniques for evasion. It is not surprising...
متن کاملDetection of fast - ux botnets through DNS tra c analysis
Botnets are networks built up of a large number of bot computers, which provide the attacker with massive resources, such as bandwidth, storage, and processing power, in turn, allowing the attacker to launch massive attacks, such as Distributed Denial of Service (DDoS) attacks, or undertake spamming or phishing campaigns. One of the main approaches for botnet detection is based on monitoring an...
متن کامل