Lehrstuhl Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser
Introduction - Botnets Great threat in the Internet today Universally usable – DDoS, Content Hosting … Very important to take them down 2 Botnet Detection with DNS Monitoring
Background – Botnet structure C&C server Bot 1 Bot 2 Bot 3 Target Server User 3 Botnet Detection with DNS Monitoring
Botnets - Detection approach Many botnets use DNS for communication Find botnet communication in DNS traffic Difficulty: Filter out all benign traffic Use specific features of botnet traffic to find bots as well as the C&C servers 4 Botnet Detection with DNS Monitoring
Botnet - DNS usage C&C communication with Domain Generation Algorithms zpdyaislnu.net? not found dlftozdnxn.net? Bot DNS Server 176.53.17.51 google.com? 173.194.70.105 5 Botnet Detection with DNS Monitoring
Detecting DGA C&C communication General framework structure: Collect DNS Data Filter traffic, detect bots Classify and group bots Detect C&Cs 6 Botnet Detection with DNS Monitoring
Detection Frameworks 1. Using Anchor Domains 2. PREDENTIFIER: Using domain features 3. Pleiades: Using NXDomains 4. Using NXDomains and Bloom Filters + Privacy 7 Botnet Detection with DNS Monitoring
Pleiades Framework by Antonakakis et al. Very sophisticated Highest detection rate of all frameworks Well-tested in real scenario (ran at local DNS server for over 2 years) 8 Botnet Detection with DNS Monitoring
Pleiades: 1. DNS Data Collection/Filtering Assumption NXDomains mostly generated by botnets Later, successful responses used for C&C identification 9 Botnet Detection with DNS Monitoring
Pleiades: 2. Bot clustering Method 1: Statistical domain features: 71f9d3d1.net 84c7e2a3.com lymylorozig.eu fotyriwavix.eu gxnbtlvvwmyg.com zzopaahxctfh.com 10 Botnet Detection with DNS Monitoring
Pleiades: 2. Bot clustering Method 2: Host ↔ Domains association: B1 B2 D1 B3 D2 B4 D3 B5 11 Botnet Detection with DNS Monitoring
Pleiades: 3. C&C detection Single, successful DNS response Bot clusters C&C Detection Probability of belonging to the DGA 12 Botnet Detection with DNS Monitoring
Pleiades: Evaluation Detection rate False positive rate DGA Classifier 99.7% 0.1% C&C > 91% (except 1 3% Detection botnet) In the wild: Detection of 6 unknown DGAs Privacy issues not specifically adressed 13 Botnet Detection with DNS Monitoring
Summary Botnets are dangerous DGA-based Botnets can be detected with the DNS Example: One Framework 14 Botnet Detection with DNS Monitoring
Thank you! 15 Botnet Detection with DNS Monitoring
Legitimate DNS usage Main goal: Load balancing Round-Robin DNS: Loop through list of possible IPs, high TTL Content Distribution Networks: More sophisticated approach to calculate currently best IP, lower TTL 16 Botnet Detection with DNS Monitoring
Background: Domain Name System root "Where's www.wikipedia.org?" nameserver 198.41.0.4 1 "Try 204.74.112.1" org. 2 nameserver 204.74.112.1 DNS Recurser "Try 207.142.131.234" 3 wikipedia.org. "It's at xxx.xx.xx.xxx" nameserver 207.142.131.234 17 Botnet Detection with DNS Monitoring
Recommend
More recommend
