SLIDE 1
Botnet Detection with DNS Monitoring
2
Botnet Detection with DNS Monitoring Seminar Future Internet 2014 - - PowerPoint PPT Presentation
Botnet Detection with DNS Monitoring Seminar Future Internet 2014 - - PowerPoint PPT Presentation
Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser Introduction - Botnets Great
SLIDE 2
SLIDE 3
Botnet Detection with DNS Monitoring
3
Background – Botnet structure
C&C server Bot 1 Bot 2 Bot 3 Target Server User
SLIDE 4
Botnet Detection with DNS Monitoring
4
Botnets - Detection approach
Many botnets use DNS for communication Find botnet communication in DNS traffic Difficulty: Filter out all benign traffic Use specific features of botnet traffic to find bots as well as the C&C
servers
SLIDE 5
Botnet Detection with DNS Monitoring
5
Botnet - DNS usage
C&C communication with Domain Generation Algorithms
Bot DNS Server zpdyaislnu.net? dlftozdnxn.net? google.com? not found 176.53.17.51 173.194.70.105
SLIDE 6
Botnet Detection with DNS Monitoring
6
Detecting DGA C&C communication
General framework structure:
Collect DNS Data Filter traffic, detect bots Classify and group bots Detect C&Cs
SLIDE 7
Botnet Detection with DNS Monitoring
7
Detection Frameworks
- 1. Using Anchor Domains
- 2. PREDENTIFIER: Using domain features
- 3. Pleiades: Using NXDomains
- 4. Using NXDomains and Bloom Filters + Privacy
SLIDE 8
Botnet Detection with DNS Monitoring
8
Pleiades Framework by Antonakakis et al.
Very sophisticated Highest detection rate of all frameworks Well-tested in real scenario (ran at local DNS server for over 2 years)
SLIDE 9
Botnet Detection with DNS Monitoring
9
Pleiades: 1. DNS Data Collection/Filtering
Assumption NXDomains mostly generated by botnets Later, successful responses used for C&C identification
SLIDE 10
Botnet Detection with DNS Monitoring
10
Pleiades: 2. Bot clustering
Method 1: Statistical domain features:
71f9d3d1.net 84c7e2a3.com lymylorozig.eu fotyriwavix.eu gxnbtlvvwmyg.com zzopaahxctfh.com
SLIDE 11
Botnet Detection with DNS Monitoring
11
Pleiades: 2. Bot clustering
Method 2: Host ↔ Domains association:
B1 D1 B2 B3 B4 B5 D3 D2
SLIDE 12
Botnet Detection with DNS Monitoring
12
Pleiades: 3. C&C detection
Single, successful DNS response C&C Detection Bot clusters Probability of belonging to the DGA
SLIDE 13
Botnet Detection with DNS Monitoring
13
Pleiades: Evaluation
In the wild: Detection of 6 unknown DGAs Privacy issues not specifically adressed
Detection rate False positive rate DGA Classifier 99.7% 0.1% C&C Detection > 91% (except 1 botnet) 3%
SLIDE 14
Botnet Detection with DNS Monitoring
14
Summary
Botnets are dangerous DGA-based Botnets can be detected with the DNS Example: One Framework
SLIDE 15
Botnet Detection with DNS Monitoring
15
Thank you!
SLIDE 16
Botnet Detection with DNS Monitoring
16
Legitimate DNS usage
Main goal: Load balancing Round-Robin DNS: Loop through list of possible IPs, high TTL Content Distribution Networks: More sophisticated approach to
calculate currently best IP, lower TTL
SLIDE 17
Botnet Detection with DNS Monitoring
17
Background: Domain Name System
DNS Recurser root nameserver
- rg.
nameserver wikipedia.org. nameserver 198.41.0.4 204.74.112.1 207.142.131.234 "Where's www.wikipedia.org?"
1 2 3
"Try 204.74.112.1" "Try 207.142.131.234" "It's at xxx.xx.xx.xxx"