A Large Scale Analysis of DNS Water Torture Attack

Random domains are widely used in present network environment. In the benign services, they have been utilized as disposable domains to transfer one-time signals. However, in recent, based on the convenience of random domains, some cybercriminals have utilized them to launch DNS water torture attack, a kind of DDoS attack targeting on the authoritative servers. Most of the Researchers dedicate in analyzing the random domains used for DGA (Domain Generation Algorithm) malware C&C communication rather than the DNS water torture attack. In order to get more facts about the nature of this kind of attacks, we compare behaviors of the DNS water torture attack with the DGA malware and disposable service from three aspects, i.e., time pattern, lexical property and the participants (clients and victims). Based on a month of real-world DNS traffic, we find that, first, the volume of the DNS water torture attack is significantly larger than the volume of disposable domains and DGA queries. Second, the character distribution of domains generated in the DNS water torture attacks are more random than disposable domains and DGA domains. Third, the client IP launching the DNS water torture attack are all random generated fake addresses. Fourth, the victims are themselves lawbreaker, e.g., pornographic website and gambling website. At last, we give some advices based on the analysis result to mitigate the DNS water torture attack.

[1]  Hyrum S. Anderson,et al.  Predicting Domain Generation Algorithms with Long Short-Term Memory Networks , 2016, ArXiv.

[2]  Sandeep Yadav,et al.  Detecting Malicious Domains via Graph Inference , 2014, ESORICS.

[3]  Hyrum S. Anderson,et al.  DeepDGA: Adversarially-Tuned Domain Generation and Detection , 2016, AISec@CCS.

[4]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[5]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.

[6]  Johannes Bader,et al.  A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[7]  Stefano Zanero,et al.  Phoenix: DGA-Based Botnet Tracking and Intelligence , 2014, DIMVA.

[8]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[9]  Yizheng Chen,et al.  DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[10]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[11]  Reza Sharifnya,et al.  DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic , 2015, Digit. Investig..

[12]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).