Polytechnic and design, Vol. 7 No. 2, 2019.
Original scientific paper
https://doi.org/10.19279/TVZ.PD.2019-7-2-01
BOTNET DETECTING BASED ON DNS TRAFFIC ANALYSIS
Brigitta Cafuta
; Zagreb University of Applied Sciences, Zagreb, Croatia
Bojan Nožica
; Zagreb University of Applied Sciences, Zagreb, Croatia
Ivica Dodig
; Zagreb University of Applied Sciences, Zagreb, Croatia
Tin Kramberger
; Zagreb University of Applied Sciences, Zagreb, Croatia
Abstract
The number of Internet active domain names is rapidly raising, thus proportionally share of malicious domains is increasing. Behind the malicious domains are reflectors controlled indirectly by Command & Control Servers (C & C), which manage the network of compromised computers (botnet). Botnet administrator by placing and information on malicious domain at a given time can launch an installed malware agent on the compromised clients. These commands may vary from a DoS server, launching a server, visit the webpage or send an electronic mail. The consequence of the command can result on widening the botnet or performing an illegal activity. The best solution to prevent a botnet in operation is to block the communication channel from compromised client to botnet administrator by blocking the communication with the malicious domain. In this paper a method for malicious domain detection using DNS traffic is presented. Features of DNS traffic are classified according to their ability of detection in previous works in this field. Samples of the detection algorithms are presented. An experimental study to verify the existance of fast-flux botnets is performed. An Experimental study based on simplest DNS traffic characteristics verified the existence of malicious domains.
Keywords
botnet; DNS traffic; fast-flux
Hrčak ID:
223320
URI
Publication date:
24.6.2019.
Visits: 902 *