Monitoring a fast flux botnet using recursive and passive DNS: A case study

Author

Mahjoub, Dhia

Author_Institution

Umbrella Security Labs., OpenDNS, San Francisco, CA, USA

fYear

2013

fDate

17-18 Sept. 2013

Firstpage

1

Lastpage

9

Abstract

Fast flux, an evasion technique that has been around for years, continues to be widely used by cybercriminals today. In this case study, we describe a real-time monitoring and detection system that leverages recursive and passive DNS to track the Kelihos fast flux botnet. We track how the botnet grows its population of infected hosts, and detect, in real-time, the newest Kelihos fast flux domains that are being hosted by the botnet. Our analysis will present results on various components and attributes of the infrastructure leveraged by the Kelihos fast flux botnet. These include: domain TLD distribution, botnet geo-distribution, botnet daily cycles, distribution of operating systems used by the botnet machines, daily-discovered fast flux domains, domain and IP lifetime distribution, as well as specific examples of usage that highlight malicious campaigns.

Keywords

Internet; computer network security; operating systems (computers); peer-to-peer computing; Botnet geo-distribution; Botnet machines; IP lifetime distribution; Kelihos fast flux Botnet; cybercriminals; daily-discovered fast flux domains; domain TLD distribution; fast flux Botnet monitoring; operating systems; passive DNS; real-time monitoring-detection system; recursive DNS; IP networks; Malware; Monitoring; Real-time systems; Sociology; Statistics; Kelihos; botnet; fast flux; passive DNS; real-time;

fLanguage

English

Publisher

ieee

Conference_Titel

eCrime Researchers Summit (eCRS), 2013

Conference_Location

San Francisco, CA

Type

conf

DOI

10.1109/eCRS.2013.6805783

Filename

6805783