Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

    89 Votes

Nowadays, internet miscreant and cyber criminals are increasing a lot and detecting and stopping them has become a serious issue. Malicious flux networks have recently started to thrive. Malicious flux networks are a type a illegitimate content delivery networks(CDNs).These types of networks are set up using fast flux domain names i.e, the set of resolved IP addresses associated to these networks change frequently,often after each DNS query, thereby making it difficult to detect them. To make it even more complicated, these set of resolved set of IP addresses,also known as flux agents, are spread across many different networks.

A number of approaches have been studied recently. The main limitation of these works lies in the use of spam email as the primary information source, thus detecting fast-flux domains advertised through email spam.These approaches identify potential fast-flux domain names in the URLs found in the body of the spam emails. Then an active probe strategy is used to collect information.

The previous system was based on DNS traffic observation from below a number of recursive DNS servers, namely DNS traffic flowing from single users machines to their local RDNS servers.Unfortunately, obtaining access to such a type of traffic is problematic, mainly due to privacy concerns.But FluxBuster is based on DNS traffic observation from above i.e, the DNS traffic flowing from the RDNS to the several networks.So there are no privacy issues. At first, it receives an input stream of DNS messages. Then the DNS Message Aggregator module aggregates all DNS messages regarding a domain into a higher level DNS message. Later the Message prefiltering module  filters out those domains that are very unlikely to be flux domains. Lastly the Classifier module processes the filtered domains again and labels them as flux or non-flux. At the end of this paper, the above method is evaluated using an experimental setup and results have been found.

A number of approaches for detecting fast-flux domain names have been recently studied. These works differ from each other in the number of features used to characterize fast flux domains, and the details of the classification algorithms. The main limitation of these works lies in the use of spam email as the primary information source, thus detecting fast-flux domains advertised through email spam. These approaches identify potential fast-flux domain names in the URLs found in the body of spam emails (typically captured by spam traps and filters). Then, an active probing strategy is applied, by repeatedly issuing DNS queries to collect information about the set of resolved IP addresses, and by subsequently classifying each domain name as being either fast-flux or nonfast-flux.

There exists some other works which are not limited to domains found in spam emails. In particular, they propose to analyze NetFlow information collected at border routers to identify redirection botnets, which are a specific kind of botnets used to set up redirection flux service networks. However, the information they extract from network flows is not able to detect flux agents that are being used as transparent proxies, instead of redirection points. In addition, to perform the classification of suspicious domains collected from spam emails, and the correlation with information regarding network flows, this work heavily relies on DNS active probing in a way similar to those said above.

Our detection approach, based on passive monitoring, has a clear advantage over detection techniques proposed in previous works. Passively monitoring live users DNS traffic allows capturing queries to flux domain names that are advertised through a variety of means, including, for example, blog spam, social websites spam, search engine spam, and instant messaging spam, in addition to email spam and precompiled domain blacklists.Furthermore, unlike the active probing approach used in previous work FluxBuster passively monitor live users traffic without interactions with the flux networks. Active probing of fast-flux domain names may be detected by the attacker, who often controls the authoritative name servers responsible for responding to DNS queries about her fast-flux domain names. If the attacker detects that an active probing system is trying to track her malicious flux service network, she may stop responding to queries coming from the probing system to prevent unveiling further information. On the other hand, our detection system is able to detect flux services in a stealthy way.

Existing Systems

Recently Hsu proposed a real-time system for detecting flux domains based on anomalous delays in HTTP/HTTPS requests from a given client. The assumption is that the flux agents are often used as either Web servers or web proxies to provide malicious content (e.g., phishing web pages). Because the flux agents are typically malware-compromised home machines, rather than performant Web server, they often provide the malicious web content with large latencies. Our work is significantly different from this, which focuses mainly on HTTP traffic generated by single clients and may not scale well in very large networks. Moreover, the above work employees a mix of passive and active approaches to detect flux domains. On the other hand, our work focuses on large-scale, privacy-preserving passive analysis of DNS traffic, and does not need access to the HTTP traffic generated by single clients, which may be very difficult to obtain due to privacy concerns.

Our detection approach, based on passive monitoring, has a clear advantage over detection techniques proposed in previous works. Passively monitoring live users DNS traffic allows capturing queries to flux domain names that are advertised through a variety of means, including, for example, blog spam, social websites spam, search engine spam, and instant messaging spam, in addition to email spam and precompiled domain blacklists.Furthermore, unlike the active probing approach used in previous work FluxBuster passively monitor live users traffic without interactions with the flux networks. Active probing of fast-flux domain names may be detected by the attacker, who often controls the authoritative name servers responsible for responding to DNS queries about her fast-flux domain names. If the attacker detects that an active probing system is trying to track her malicious flux service network, she may stop responding to queries coming from the probing system to prevent unveiling further information. On the other hand, our detection system is able to detect flux services in a stealthy way.

Recently Hsu proposed a real-time system for detecting flux domains based on anomalous delays in HTTP/HTTPS requests from a given client. The assumption is that the flux agents are often used as either Web servers or web proxies to provide malicious content (e.g., phishing web pages). Because the flux agents are typically malware-compromised home machines, rather than performant Web server, they often provide the malicious web content with large latencies. Hsu leverage on these observations for detection purposes. Our work is significantly different from this, which focuses mainly on HTTP traffic generated by single clients and may not scale well in very large networks. Moreover, the above work employees a mix of passive and active approaches to detect flux domains. On the other hand, our work focuses on large-scale, privacy-preserving passive analysis of DNS traffic, and does not need access to the HTTP traffic generated by single clients, which may be very difficult to obtain due to privacy concerns.

Attachments:
Download this file (FluxBuster-Seminar-Report.pdf)Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis[Seminar Report]282 Kb