Detection of fast flux botnets

Abstract

Botnets are mainly large collections of devices running a specific malware. This malware typically awaits instructions from one or more Command and Control (C&C) servers which it then follows. Therefore, hiding and protecting C&Cs is crucial which led attackers to use Fast Flux techniques. One of the ideas involves using large pool of compromised IP addresses to form a proxy layer to conceal the C&C’s IPs. However, research has shown that the concept of Fast Flux has evolved considerably both in its form and pace even riding the wave of the IoT revolution to make detection of C&C more difficult. The aim of this project is to analyse various Flux techniques and extract features that indicate Flux behaviour. This project proposes an anti-Fast Flux software as a proof of concept that acts as a proxy between the client/network and the router to passively analyse DNS traffic and look for anomaly features, with the primary aim to detect domains or IPs that exhibit such behaviour to protect networks. Moreover, the system incorporates a Telnet honeypot to automatically blacklist any IPs that attempt to connect via Telnet which could be a result of Internet of Things (IoT)- based botnets. The system uses a scoring mechanism to collate different types of Flux detections and assigns scores according the exhibited features while blacklisting any domains that exceeds the score of 100. The system successfully classifies fast flux domains with 74.6% accuracy as at May 2017. However, since the system processes live data and takes into consideration DNS changes, it recalculates domain scores every time a domain state changes which makes accuracy not a fixed value. In addition, the Telnet honeypot can be deemed to be 100% due to the material certainty that all connections are unsolicited. Given that Fast Flux domains constantly evolve, the software enables updating of the engine’s detection parameters as necessary.