Abstract
Fast-Flux (FF), a technique to associate hostname to multiple IP addresses, has been used by cybercriminals to hide their botnet server responsible for its anonymity and resiliency. The operation FF network service, often used for a phishing campaign and propagate malware to attack critical infrastructure, is quite similar to the operation of the Content Delivery Network (CDN) service, making it more challenging differentiating between the two services. In this research, the authors present a case study of how FF operate and can be detected in Internet Service Provider (ISP) network infrastructure, a high volume of DNS traffic was collected over the five months and analyzed by extracting several DNS features and feed into K-means clustering to distinguish between these two services. During the experiment, the authors show that utilizing web service content as one of the elements can differentiate between the two services with a purity value of 0.922.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Gupta, B.B., Tewari, A., Jain, A.K., Agrawal, D.P.: Fighting against phishing attacks: state of the art and future challenges. Neural Comput. Appl. 28(12), 3629–3654 (2017). https://doi.org/10.1007/s00521-016-2275-y
Zhou, S.: A survey on fast-flux attacks. Inf. Secur. J. Global Perspect. 24(4–6), 79–97 (2015)
Salusky, W., Danford, R.: Know your enemy: fast-flux service networks. The Honeynet Project, pp. 1–24 (2007)
Katz, O., Perets, R., Matzliach, G.: Digging deeper-an in-depth analysis of a fast flux network (2017)
Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G.: Behavioral analysis of botnets for threat intelligence. Inf. Syst. E-Bus. Manage. 10(4), 491–519 (2012). https://doi.org/10.1007/s10257-011-0171-7
Proofpoint. Sandiflux: another fast flux infrastructure used in malware distribution emerges (2018). https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux-infrastructure-used-malware-distribution-emerges
Cantón, D.: Botnet detection through DNS-based approaches (2015). https://www.incibe-cert.es/en/blog/botnet-detection-dns
Weimer, F.: Passive DNS replication. In: FIRST Conference on Computer Security Incident, p. 98 (2005)
Xu, W., Wang, X., Xie, H.: New trends in fastflux networks (2013). https://media.blackhat.com/us-13/US-13-Xu-New-Trends-in-FastFlux-Networks-WP.pdf
Mike Williams, D.A.: The best CDN providers of 2018 to speed up any website (2018). https://www.infoworld.com/article/2994016/network-security/strengthen-your-network-security-with-passive-dns.html
Hsu, F.-H., Wang, C.-S., Hsu, C.-H., Tso, C.-K., Chen, L.-H., Lin, S.-H.: Detect fast-flux domains through response time differences. IEEE J. Sel. Areas Commun. 32(10), 1947–1956 (2014)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks (2008). https://www.ndss-symposium.org/wp-content/uploads/2017/09/Measuring-and-Detecting-Fast-Flux-Service-Networks-paper-Thorsten-Holz.pdf
Hu, X., Knysz, M., Shin, K.G.: Measurement and analysis of global IP-usage patterns of fast-flux botnets. In: Proceedings of the IEEE INFOCOM, pp. 2633–2641. IEEE (2011)
Koo, T.-M., Chang, H.-C., Chuang, C.-C.: Detecting and analyzing fast-flux service networks. In: Advances in Information Sciences and Service Sciences, vol. 4, no. 10 (2012)
Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive DNS traces. In: Annual Computer Security Applications Conference, pp. 311–320. IEEE (2009)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)
Lombardo, P., Saeli, S., Bisio, F., Bernardi, D., Massa, D.: Fast flux service network detection via data mining on passive DNS traffic. In: Chen, L., Manulis, M., Schneider, S. (eds.) ISC 2018. LNCS, vol. 11060, pp. 463–480. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99136-8_25
Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., Van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In: Seventh European Conference on Computer Network Defense, pp. 9–16. IEEE (2011)
Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using DNS traffic. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 707–712. ACM (2014)
Almomani, A.: Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput. Appl. 29(7), 483–493 (2018). https://doi.org/10.1007/s00521-016-2531-1
Sonagara, D., Badheka, S.: Comparison of basic clustering algorithms. Int. J. Comput. Sci. Mob. Comput. 3(10), 58–61 (2014)
Cafuta, D., Sruk, V., Dodig, I.: Fast-flux botnet detection based on traffic response and search engines credit worthiness. Tehnički vjesnik 25(2), 390–400 (2018)
Kwon, J., Lee, J., Lee, H., Perrig, A.: PsyBoG: a scalable botnet detection method for large-scale DNS traffic. Comput. Netw. 97, 48–73 (2016)
Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)
Palacio-Niño, J.-O., Berzal, F.: Evaluation metrics for unsupervised learning algorithms. arXiv preprint arXiv:1905.05667 (2019)
Biswas, J., Ashutosh, A.: An insight in to network traffic analysis using packet sniffer. Int. J. Comput. Appl. 94(11), 39–44 (2014)
Schiffman, M.: Farsight’s network message, volume 1: introduction to NMSG (2015). https://www.farsightsecurity.com/txt-record/2015/01/28/nmsg-intro/
Garreta, R., Moncecchi, G.: Learning scikit-learn: Machine Learning in Python. Packt Publishing, Birmingham (2013)
McKinney, W.: pandas: a foundational python library for data analysis and statistics. Python High Perform. Sci. Comput. 14, 1–9 (2011)
Umbrella, C.: Alexa one million list domain (2016). http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip
Alexa one million list TLD (2016). http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m-TLD.csv.zip
Alexa. Top sites in Indonesia - Alexa (2018). https://www.alexa.com/topsites/countries/ID
Martinez-Bea, S., Castillo-Perez, S., Garcia-Alfaro, J.: Real-time malicious fast-flux detection using DNS and bot related features. In: 2013 Eleventh Annual Conference on Privacy, Security and Trust, pp. 369–372. IEEE (2013)
scikit, selecting the number of clusters with silhouette analysis on kmeans clustering. https://scikit-learn.org/stable/auto-examples/cluster/plot-kmeans-silhouette-analysis.html
Patgiri, R., Katari, H., Kumar, R., Sharma, D.: Empirical study on malicious URL detection using machine learning. In: Fahrnberger, G., Gopinathan, S., Parida, L. (eds.) ICDCIT 2019. LNCS, vol. 11319, pp. 380–388. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-05366-6_31
Singh, M., Singh, M., Kaur, S.: Issues and challenges in DNS based botnet detection: a survey. Comput. Secur. 86, 28–52 (2019)
Kadir, A.F.A., Othman, R.A.R., Aziz, N.A.: Behavioral analysis and visualization of fast-flux DNS, pp. 250–253. In: European Intelligence and Security Informatics Conference. IEEE (2012)
Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., Eaton, G.: Behavioral patterns of fast flux service networks. In: 2010 43rd Hawaii International Conference on System Sciences, pp. 1–9. IEEE (2010)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Surjanto, W., Lim, C. (2020). Finding Fast Flux Traffic in DNS Haystack. In: Rashid, A., Popov, P. (eds) Critical Information Infrastructures Security. CRITIS 2020. Lecture Notes in Computer Science(), vol 12332. Springer, Cham. https://doi.org/10.1007/978-3-030-58295-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-58295-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58294-4
Online ISBN: 978-3-030-58295-1
eBook Packages: Computer ScienceComputer Science (R0)