Skip to main content
SpringerLink
Log in

Finding Fast Flux Traffic in DNS Haystack

  • Conference paper
  • First Online:
Critical Information Infrastructures Security (CRITIS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12332))

Abstract

Fast-Flux (FF), a technique to associate hostname to multiple IP addresses, has been used by cybercriminals to hide their botnet server responsible for its anonymity and resiliency. The operation FF network service, often used for a phishing campaign and propagate malware to attack critical infrastructure, is quite similar to the operation of the Content Delivery Network (CDN) service, making it more challenging differentiating between the two services. In this research, the authors present a case study of how FF operate and can be detected in Internet Service Provider (ISP) network infrastructure, a high volume of DNS traffic was collected over the five months and analyzed by extracting several DNS features and feed into K-means clustering to distinguish between these two services. During the experiment, the authors show that utilizing web service content as one of the elements can differentiate between the two services with a purity value of 0.922.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Gupta, B.B., Tewari, A., Jain, A.K., Agrawal, D.P.: Fighting against phishing attacks: state of the art and future challenges. Neural Comput. Appl. 28(12), 3629–3654 (2017). https://doi.org/10.1007/s00521-016-2275-y

    Article  Google Scholar 

  2. Zhou, S.: A survey on fast-flux attacks. Inf. Secur. J. Global Perspect. 24(4–6), 79–97 (2015)

    Article  Google Scholar 

  3. Salusky, W., Danford, R.: Know your enemy: fast-flux service networks. The Honeynet Project, pp. 1–24 (2007)

    Google Scholar 

  4. Katz, O., Perets, R., Matzliach, G.: Digging deeper-an in-depth analysis of a fast flux network (2017)

    Google Scholar 

  5. Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G.: Behavioral analysis of botnets for threat intelligence. Inf. Syst. E-Bus. Manage. 10(4), 491–519 (2012). https://doi.org/10.1007/s10257-011-0171-7

    Article  Google Scholar 

  6. Proofpoint. Sandiflux: another fast flux infrastructure used in malware distribution emerges (2018). https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux-infrastructure-used-malware-distribution-emerges

  7. Cantón, D.: Botnet detection through DNS-based approaches (2015). https://www.incibe-cert.es/en/blog/botnet-detection-dns

  8. Weimer, F.: Passive DNS replication. In: FIRST Conference on Computer Security Incident, p. 98 (2005)

    Google Scholar 

  9. Xu, W., Wang, X., Xie, H.: New trends in fastflux networks (2013). https://media.blackhat.com/us-13/US-13-Xu-New-Trends-in-FastFlux-Networks-WP.pdf

  10. Mike Williams, D.A.: The best CDN providers of 2018 to speed up any website (2018). https://www.infoworld.com/article/2994016/network-security/strengthen-your-network-security-with-passive-dns.html

  11. Hsu, F.-H., Wang, C.-S., Hsu, C.-H., Tso, C.-K., Chen, L.-H., Lin, S.-H.: Detect fast-flux domains through response time differences. IEEE J. Sel. Areas Commun. 32(10), 1947–1956 (2014)

    Article  Google Scholar 

  12. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks (2008). https://www.ndss-symposium.org/wp-content/uploads/2017/09/Measuring-and-Detecting-Fast-Flux-Service-Networks-paper-Thorsten-Holz.pdf

  13. Hu, X., Knysz, M., Shin, K.G.: Measurement and analysis of global IP-usage patterns of fast-flux botnets. In: Proceedings of the IEEE INFOCOM, pp. 2633–2641. IEEE (2011)

    Google Scholar 

  14. Koo, T.-M., Chang, H.-C., Chuang, C.-C.: Detecting and analyzing fast-flux service networks. In: Advances in Information Sciences and Service Sciences, vol. 4, no. 10 (2012)

    Google Scholar 

  15. Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive DNS traces. In: Annual Computer Security Applications Conference, pp. 311–320. IEEE (2009)

    Google Scholar 

  16. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273–290 (2010)

    Google Scholar 

  17. Lombardo, P., Saeli, S., Bisio, F., Bernardi, D., Massa, D.: Fast flux service network detection via data mining on passive DNS traffic. In: Chen, L., Manulis, M., Schneider, S. (eds.) ISC 2018. LNCS, vol. 11060, pp. 463–480. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99136-8_25

    Chapter  Google Scholar 

  18. Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., Van Steen, M., Pohlmann, N.: On botnets that use DNS for command and control. In: Seventh European Conference on Computer Network Defense, pp. 9–16. IEEE (2011)

    Google Scholar 

  19. Thomas, M., Mohaisen, A.: Kindred domains: detecting and clustering botnet domains using DNS traffic. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 707–712. ACM (2014)

    Google Scholar 

  20. Almomani, A.: Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput. Appl. 29(7), 483–493 (2018). https://doi.org/10.1007/s00521-016-2531-1

    Article  Google Scholar 

  21. Sonagara, D., Badheka, S.: Comparison of basic clustering algorithms. Int. J. Comput. Sci. Mob. Comput. 3(10), 58–61 (2014)

    Google Scholar 

  22. Cafuta, D., Sruk, V., Dodig, I.: Fast-flux botnet detection based on traffic response and search engines credit worthiness. Tehnički vjesnik 25(2), 390–400 (2018)

    Google Scholar 

  23. Kwon, J., Lee, J., Lee, H., Perrig, A.: PsyBoG: a scalable botnet detection method for large-scale DNS traffic. Comput. Netw. 97, 48–73 (2016)

    Article  Google Scholar 

  24. Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)

    Book  Google Scholar 

  25. Palacio-Niño, J.-O., Berzal, F.: Evaluation metrics for unsupervised learning algorithms. arXiv preprint arXiv:1905.05667 (2019)

  26. Biswas, J., Ashutosh, A.: An insight in to network traffic analysis using packet sniffer. Int. J. Comput. Appl. 94(11), 39–44 (2014)

    Google Scholar 

  27. Schiffman, M.: Farsight’s network message, volume 1: introduction to NMSG (2015). https://www.farsightsecurity.com/txt-record/2015/01/28/nmsg-intro/

  28. Garreta, R., Moncecchi, G.: Learning scikit-learn: Machine Learning in Python. Packt Publishing, Birmingham (2013)

    Google Scholar 

  29. McKinney, W.: pandas: a foundational python library for data analysis and statistics. Python High Perform. Sci. Comput. 14, 1–9 (2011)

    Google Scholar 

  30. Umbrella, C.: Alexa one million list domain (2016). http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip

  31. Alexa one million list TLD (2016). http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m-TLD.csv.zip

  32. Alexa. Top sites in Indonesia - Alexa (2018). https://www.alexa.com/topsites/countries/ID

  33. Martinez-Bea, S., Castillo-Perez, S., Garcia-Alfaro, J.: Real-time malicious fast-flux detection using DNS and bot related features. In: 2013 Eleventh Annual Conference on Privacy, Security and Trust, pp. 369–372. IEEE (2013)

    Google Scholar 

  34. scikit, selecting the number of clusters with silhouette analysis on kmeans clustering. https://scikit-learn.org/stable/auto-examples/cluster/plot-kmeans-silhouette-analysis.html

  35. Patgiri, R., Katari, H., Kumar, R., Sharma, D.: Empirical study on malicious URL detection using machine learning. In: Fahrnberger, G., Gopinathan, S., Parida, L. (eds.) ICDCIT 2019. LNCS, vol. 11319, pp. 380–388. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-05366-6_31

    Chapter  Google Scholar 

  36. Singh, M., Singh, M., Kaur, S.: Issues and challenges in DNS based botnet detection: a survey. Comput. Secur. 86, 28–52 (2019)

    Article  Google Scholar 

  37. Kadir, A.F.A., Othman, R.A.R., Aziz, N.A.: Behavioral analysis and visualization of fast-flux DNS, pp. 250–253. In: European Intelligence and Security Informatics Conference. IEEE (2012)

    Google Scholar 

  38. Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., Eaton, G.: Behavioral patterns of fast flux service networks. In: 2010 43rd Hawaii International Conference on System Sciences, pp. 1–9. IEEE (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Infrastructure Team Indonesia Honeynet Project, Jakarta, Indonesia

    Williams Surjanto

  2. Information Technology Department, Swiss German University, Tangerang, Banten, 15143, Indonesia

    Charles Lim

Authors
  1. Williams Surjanto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Charles Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Williams Surjanto or Charles Lim .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Bristol, Bristol, UK

    Awais Rashid

  2. Department of Computer Science, City, University of London, London, UK

    Peter Popov

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Surjanto, W., Lim, C. (2020). Finding Fast Flux Traffic in DNS Haystack. In: Rashid, A., Popov, P. (eds) Critical Information Infrastructures Security. CRITIS 2020. Lecture Notes in Computer Science(), vol 12332. Springer, Cham. https://doi.org/10.1007/978-3-030-58295-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58295-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58294-4

  • Online ISBN: 978-3-030-58295-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation