Towards active measurement for DNS query behavior of botnets

Domain names play an increasingly important role for the botnet activities. Traditionally, DNS traces from several local DNS servers are used passively to measure the DNS query behavior. However, since botnets are a wide-scale threat and usually reside in geographically dispersed networks, the vantage point of several local DNS servers is sometimes too small to help us understand the DNS query behavior (e.g., whether queried or not, average query rate) of botnets. In this paper, we actively measure the DNS query behavior of botnets in geographically dispersed networks via the DNS cache probing technique. We first analytically characterize how multiple domain names are queried by botnets in different networks under certain circumstances. Then, we actively measure real botnet samples in the wild to gain insight into how multiple domain names are queried by botnets in 480 geographically dispersed networks globally, and show that our analytical characterization well describes the DNS query behavior of the botnet samples. The active measurement technique can help to acquire extensive DNS query information in different networks and thus potentially facilitate various DNS-related research and applications.

[1]  Torsten Suel,et al.  Geographic web usage estimation by monitoring DNS caches , 2008, LocWeb.

[2]  Xin Wang,et al.  DNS Measurements at the .CN TLD Servers , 2009, 2009 Sixth International Conference on Fuzzy Systems and Knowledge Discovery.

[3]  Shouhuai Xu,et al.  Analyzing DNS activities of bot processes , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[4]  Evi Nemeth,et al.  DNS measurements at a root server , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[5]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[6]  José Carlos Brustoloni,et al.  Bayesian bot detection based on DNS traffic similarity , 2009, SAC '09.

[7]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[8]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[9]  Wenke Lee,et al.  Global Internet Monitoring Using Passive DNS , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[10]  Andreas Terzis,et al.  Peeking Through the Cloud: DNS-Based Estimation and Its Applications , 2008, ACNS.

[11]  N. Feamster,et al.  An Internet-Wide View into DNS Lookup Patterns , 2010 .

[12]  Zhi-Li Zhang,et al.  Where Do You "Tube"? Uncovering YouTube Server Selection Strategy , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[13]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[14]  Jin Cao,et al.  Identifying suspicious activities through DNS failure graph analysis , 2010, The 18th IEEE International Conference on Network Protocols.

[15]  Kang G. Shin,et al.  Measurement and analysis of global IP-usage patterns of fast-flux botnets , 2011, 2011 Proceedings IEEE INFOCOM.

[16]  Wenke Lee,et al.  Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.