Charlatans' Web: Analysis and Application of Global IP-Usage Patterns of Fast-Flux Botnets
Final rept. 1 Apr 2009-31 May 2010
MICHIGAN UNIV ANN ARBOR
Pagination or Media Count:
Botnet-based hosting or redirectionproxy services provide botmasters with an ideal platform for hosting malicious and illegal content while affording them a high level of misdirection and protection. Because of the unreliable connectivity of the constituent bots typically compromised home computers, domains built atop botnets require frequent updates to their DNS records, replacing the IPs of offline bots with online ones to prevent a disruption in malicious service. Consequently, their DNS records contain a large number of constantly-changing i.e.. fluxy IPs. earning them the descriptive moniker of fast-flux domains when both the content and name servers are fluxy, double fast-flux domains. In this paper, we study the global IP-usage patterns exhibited by different types of malicious and benign domains, including single and double fast-flux domains. We have deployed a lightweight DNS-probing engine, called DIGGER, on 240 PlanetLab nodes spanning 4 continents. Collecting DNS data for over 3.5 months on a plethora of domains, our global vantage points enabled us to identify distinguishing behavioral features between them based on their DNS query results.