Detect Fast-Flux Domains Through Response Time Differences

A fast-flux service network (FFSN) uses dynamic DNS to map a dynamic domain, called fast-flux domain (FF domain), to various IP addresses and uses flux bots to redirect network traffic. Due to its powerful capability to conceal the hosts hidden behind the flux bots, FFSNs are widely adopted by attac...

Full description

Saved in:
Bibliographic Details
Published inIEEE journal on selected areas in communications Vol. 32; no. 10; pp. 1947 - 1956
Main Authors Hsu, Fu-Hau, Wang, Chuan-Sheng, Hsu, Chi-Hsien, Tso, Chang-Kuo, Chen, Li-Han, Lin, Song-Hui
Format Journal Article
LanguageEnglish
Published New York IEEE 01.10.2014
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Equations
Internet appliances
IP networks
Mathematical model
Measurement
Servers
Time factors
Training
Security
invasive software
network-level security and protection
Online AccessGet full text

Cover

More Information
Summary:A fast-flux service network (FFSN) uses dynamic DNS to map a dynamic domain, called fast-flux domain (FF domain), to various IP addresses and uses flux bots to redirect network traffic. Due to its powerful capability to conceal the hosts hidden behind the flux bots, FFSNs are widely adopted by attackers to cover various scams. Although diverse promising solutions have been proposed to detect FF domains, they face the same problem-different countermeasures could be used to bypass their detection. Hence, it becomes a critical issue to develop a new detection solution. According to our survey, unlike normal network services that use dynamic DNS to balance the workloads of their hosts, FFSNs utilize dynamic DNS to hide important bots. As a result, the response time of subsequent requests to an FF domain becomes more fluctuating. Based on the response time differences, this paper develops a new metric, Fast-Flux Score (FF-Score), to detect FF domains. Our system, called fast-flux domain detector (FFDD), is used on a computer that could be an end host or an IDS. A user with a set of unknown URLs, which may be obtained from spam or social networks, can simply determine whether they are benign domains or fast-flux ones using FFDD. Experimental results show that FFDD can accurately detect FF domains with only a 0.3% false positive rate and a 2% false negative rate. It takes less than 20 min for FFDD to determine whether a domain is an FF domain. In addition, FFDD is a lightweight stand-alone system; hence, it does not require special support from an ISP or any other network service.
ISSN:0733-8716
1558-0008
DOI:10.1109/JSAC.2014.2358814