[go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

FluXOR: Detecting and Monitoring Fast-Flux Service Networks

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5137))

  • 3020 Accesses

Abstract

Botnets are large groups of compromised machines (bots) used by miscreants for the most illegal activities (e.g., sending spam emails, denial-of-service attacks, phishing and other web scams). To protect the identity and to maximise the availability of the core components of their business, miscreants have recently started to use fast-flux service networks, large groups of bots acting as front-end proxies to these components. Motivated by the conviction that prompt detection and monitoring of these networks is an essential step to contrast the problem posed by botnets, we have developed FluXOR, a system to detect and monitor fast-flux service networks. FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated thorough botnets. We have been using FluXOR for about a month and so far we have detected 387 fast-flux service networks, totally composed by 31998 distinct compromised machines, which we believe to be associated with 16 botnets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM conference on Computer and communications security (CCS 2007), pp. 375–388. ACM, New York (2007)

    Google Scholar 

  2. Ször, P.: The Art of Computer Virus Research and Defense. Addison Wesley Professional, Reading (2005)

    Google Scholar 

  3. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

  4. Furst, M.: Expert: Botnets No. 1 Emerging Internet Threat. CNN Technology (2006)

    Google Scholar 

  5. Markoff, J.: Attack of the Zombie Computers Is a Growing Threat, Experts Say. The New York Times (January 2007)

    Google Scholar 

  6. Corporation, F.S.: Malware Information Pages: Warezov (2006), http://www.f-secure.com/v-descs/warezov.shtml

  7. Porras, P., Saidi, H., Yegneswaran, V.: A Multi-perspective Analysis of the Storm (Peacomm) Worm. Technical report, SRI International (October 2007)

    Google Scholar 

  8. The Honeynet Project & Research Alliance: Know Your Enemy: Fast-Flux Service Networks (2007)

    Google Scholar 

  9. Gaudin, S.: Storm Worm Erupts Into Worst Virus Attack In 2 Years (2007)

    Google Scholar 

  10. Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC 2007) (December 2007)

    Google Scholar 

  11. Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by irc nickname evaluation. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

  12. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (Security 2007) (August 2007)

    Google Scholar 

  13. Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

  14. Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006) (2006)

    Google Scholar 

  15. Ramachandran, A., Feamster, N., Dagon, D.: Revealing botnet membership using dnsbl counter-intelligence. In: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), Berkeley, CA, USA. USENIX Association (2006)

    Google Scholar 

  16. Cooke, E., Jahanian, F., Mcpherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 39–44 (June 2005)

    Google Scholar 

  17. Mockapetris, P.: Domain names – concepts and facilites. RFC 1034, Internet Engineering Task Force (November 1987)

    Google Scholar 

  18. Mockapetris, P.: Domain names – implementation and specification. RFC 1035, Internet Engineering Task Force (November 1987)

    Google Scholar 

  19. Kojm, T.: Clam AntiVirus, http://www.clamav.net

  20. John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: Proceedings of the 11th Conference on Uncertainty in Artificial Intelligence, pp. 338–345. Morgan Kaufmann, San Francisco (1995)

    Google Scholar 

  21. Hawkinson, J., Bates, T.: Guidelines for creation, selection, and registration of an autonomous system (as). RFC 1930, Internet Engineering Task Force (March 1996)

    Google Scholar 

  22. DomainTools.com: Domain Counts & Internet Statistics, http://www.domaintools.com/internet-statistics/

  23. Zhang, H.: The Optimality of Naïve Bayes. In: Proceedings of the Seventeenth International Florida Artificial Intelligence Research Society Conference. AAAI Press, Miami Beach (2004)

    Google Scholar 

  24. Daigle, L.: WHOIS protocol specification. RFC 3912, Internet Engineering Task Force (March 2004)

    Google Scholar 

  25. Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)

    MATH  Google Scholar 

  26. Kohavi, R.: A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection. In: Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence, pp. 1137–1145. Morgan Kaufmann, San Francisco (1995)

    Google Scholar 

  27. Holz, T., Gorecki, C., Freiling, F., Rieck, K.: Detection and Mitigation of Fast-Flux Service Networks. In: Proceeding of the 15th Annual Network & Distributed System Security Symposium (NDSS 2008) (February 2008)

    Google Scholar 

  28. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 2006), pp. 41–52. ACM, New York (2006)

    Chapter  Google Scholar 

  29. Stinson, E., Mitchell, J.C.: Characterizing Bots’ Remote Control Behavior. In: Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 89–108. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  30. Paul, B., Vinod, Y.: An Inside Look at Botnets. In: Malware Detection. Advances in Information Security, vol. 27. Springer, Heidelberg (2007)

    Google Scholar 

  31. Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

  32. Daswani, N., Stoppelman, M.: The anatomy of clickbot.a. In: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Berkeley, CA, USA. USENIX Association (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Università degli Studi di Milano,  

    Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni & Danilo Bruschi

Authors
  1. Emanuele Passerini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roberto Paleari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lorenzo Martignoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Danilo Bruschi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Passerini, E., Paleari, R., Martignoni, L., Bruschi, D. (2008). FluXOR: Detecting and Monitoring Fast-Flux Service Networks. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70542-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-70541-3

  • Online ISBN: 978-3-540-70542-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation