DNS for Massive-Scale Command and Control

DNS for Massive-Scale Command and Control

Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channe...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2013-05, Vol.10 (3), p.143-153
Hauptverfasser: Kui Xu, Butler, P., Saha, S., Danfeng Yao
Format: Artikel
Sprache:eng
Schlagworte:
and command and control
botnet detection
Channels
Command and control
Command and control systems
Controllers
DNS security
Domain names
IP networks
Libraries
Malware
Messaging systems
Network security
Networks
Payloads
Protocols
Servers
Statistical analysis
Studies
Tunneling
URLs
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channel. We describe and quantitatively analyze several techniques that can be used to effectively hide malicious DNS activities at the network level. Our experimental evaluation makes use of a two-month-long 4.6-GB campus network data set and 1 million domain names obtained from alexa.com. We conclude that the DNS-based stealthy command-and-control channel (in particular, the codeword mode) can be very powerful for attackers, showing the need for further research by defenders in this direction. The statistical analysis of DNS payload as a countermeasure has practical limitations inhibiting its large-scale deployment.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2013.10