TY - GEN
T1 - Tracking multiple C&C botnets by analyzing DNS traffic
AU - Lee, Jehyun
AU - Kwon, Jonghun
AU - Shin, Hyo Jeong
AU - Lee, Heejo
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2010
Y1 - 2010
N2 - Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.
AB - Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.
UR - http://www.scopus.com/inward/record.url?scp=79952066859&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79952066859&partnerID=8YFLogxK
U2 - 10.1109/NPSEC.2010.5634445
DO - 10.1109/NPSEC.2010.5634445
M3 - Conference contribution
AN - SCOPUS:79952066859
SN - 9781424489152
T3 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
SP - 67
EP - 72
BT - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
T2 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
Y2 - 5 October 2010 through 5 October 2010
ER -