Title :
Monitoring a fast flux botnet using recursive and passive DNS: A case study
Author_Institution :
Umbrella Security Labs., OpenDNS, San Francisco, CA, USA
Abstract :
Fast flux, an evasion technique that has been around for years, continues to be widely used by cybercriminals today. In this case study, we describe a real-time monitoring and detection system that leverages recursive and passive DNS to track the Kelihos fast flux botnet. We track how the botnet grows its population of infected hosts, and detect, in real-time, the newest Kelihos fast flux domains that are being hosted by the botnet. Our analysis will present results on various components and attributes of the infrastructure leveraged by the Kelihos fast flux botnet. These include: domain TLD distribution, botnet geo-distribution, botnet daily cycles, distribution of operating systems used by the botnet machines, daily-discovered fast flux domains, domain and IP lifetime distribution, as well as specific examples of usage that highlight malicious campaigns.
Keywords :
Internet; computer network security; operating systems (computers); peer-to-peer computing; Botnet geo-distribution; Botnet machines; IP lifetime distribution; Kelihos fast flux Botnet; cybercriminals; daily-discovered fast flux domains; domain TLD distribution; fast flux Botnet monitoring; operating systems; passive DNS; real-time monitoring-detection system; recursive DNS; IP networks; Malware; Monitoring; Real-time systems; Sociology; Statistics; Kelihos; botnet; fast flux; passive DNS; real-time;
Conference_Titel :
eCrime Researchers Summit (eCRS), 2013
Conference_Location :
San Francisco, CA
DOI :
10.1109/eCRS.2013.6805783
