Politehnika i dizajn, Vol. 7 No. 2, 2019.
Izvorni znanstveni članak
https://doi.org/10.19279/TVZ.PD.2019-7-2-01
BOTNET DETECTING BASED ON DNS TRAFFIC ANALYSIS
Brigitta Cafuta
; Tehničko veleučilište u Zagrebu, Zagreb, Hrvatska
Bojan Nožica
; Tehničko veleučilište u Zagrebu, Zagreb, Hrvatska
Ivica Dodig
; Tehničko veleučilište u Zagrebu, Zagreb, Hrvatska
Tin Kramberger
; Tehničko veleučilište u Zagrebu, Zagreb, Hrvatska
Sažetak
The number of Internet active domain names is rapidly raising, thus proportionally share of malicious domains is increasing. Behind the malicious domains are reflectors controlled indirectly by Command & Control Servers (C & C), which manage the network of compromised computers (botnet). Botnet administrator by placing and information on malicious domain at a given time can launch an installed malware agent on the compromised clients. These commands may vary from a DoS server, launching a server, visit the webpage or send an electronic mail. The consequence of the command can result on widening the botnet or performing an illegal activity. The best solution to prevent a botnet in operation is to block the communication channel from compromised client to botnet administrator by blocking the communication with the malicious domain. In this paper a method for malicious domain detection using DNS traffic is presented. Features of DNS traffic are classified according to their ability of detection in previous works in this field. Samples of the detection algorithms are presented. An experimental study to verify the existance of fast-flux botnets is performed. An Experimental study based on simplest DNS traffic characteristics verified the existence of malicious domains.
Ključne riječi
botnet; DNS traffic; fast-flux
Hrčak ID:
223320
URI
Datum izdavanja:
24.6.2019.
Posjeta: 867 *