Tracking multiple C&C botnets by analyzing DNS traffic

Jehyun Lee; Jonghun Kwon; Hyo Jeong Shin; Heejo Lee

doi:10.1109/NPSEC.2010.5634445

Tracking multiple C&C botnets by analyzing DNS traffic

Jehyun Lee, Jonghun Kwon, Hyo Jeong Shin, Heejo Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

18 Citations (Scopus)

Abstract

Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.

Original language	English
Title of host publication	2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
Pages	67-72
Number of pages	6
DOIs	https://doi.org/10.1109/NPSEC.2010.5634445
Publication status	Published - 2010
Event	2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010 - Kyoto, Japan Duration: 2010 Oct 5 → 2010 Oct 5

Publication series

Name	2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

Other

Other	2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
Country/Territory	Japan
City	Kyoto
Period	10/10/5 → 10/10/5

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1109/NPSEC.2010.5634445

Cite this

Lee, J, Kwon, J, Shin, HJ & Lee, H 2010, Tracking multiple C&C botnets by analyzing DNS traffic. in 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010., 5634445, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, pp. 67-72, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, Kyoto, Japan, 10/10/5. https://doi.org/10.1109/NPSEC.2010.5634445

@inproceedings{752f78c0dc8a43a1a196413ad647486c,

title = "Tracking multiple C&C botnets by analyzing DNS traffic",

abstract = "Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.",

author = "Jehyun Lee and Jonghun Kwon and Shin, {Hyo Jeong} and Heejo Lee",

year = "2010",

doi = "10.1109/NPSEC.2010.5634445",

language = "English",

isbn = "9781424489152",

series = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",

pages = "67--72",

booktitle = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",

}

TY - GEN

T1 - Tracking multiple C&C botnets by analyzing DNS traffic

AU - Lee, Jehyun

AU - Kwon, Jonghun

AU - Shin, Hyo Jeong

AU - Lee, Heejo

PY - 2010

Y1 - 2010

N2 - Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.

AB - Botnets have been considered as a main source of Internet threats. A common feature of recent botnets is the use of one or more C&C servers with multiple domain names for the purpose of increasing flexibility and survivability. In contrast with single domain botnets, these multi domain botnets are hard to be quarantined because they change domain names regularly for connecting their C&C server(s). In this paper, we introduce a tracking method of botnets by analyzing the relationship of domain names in DNS traffic generated from botnets. By examining the DNS queries from the clients which accessed the known malicious domain names, we can find a set of unknown malicious domain names and their relationship. This method enables to track malicious domain names and clients duplicately infected by multiple bot codes which make botnets revivable against existing quarantine methods. From the experiments with one hour DNS traffic in an ISP network, we find tens of botnets, and each botnet has tens of malicious domains. In addition to botnet domains, we find a set of other domain names used for spamming or advertising servers. The proposed method can be used for quarantining recent botnets and for limiting their survivability by tracking the change of domain names.

UR - http://www.scopus.com/inward/record.url?scp=79952066859&partnerID=8YFLogxK

U2 - 10.1109/NPSEC.2010.5634445

DO - 10.1109/NPSEC.2010.5634445

M3 - Conference contribution

AN - SCOPUS:79952066859

SN - 9781424489152

T3 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

SP - 67

EP - 72

BT - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

T2 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

Y2 - 5 October 2010 through 5 October 2010

ER -

Tracking multiple C&C botnets by analyzing DNS traffic

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this