Article

On Botnets That Use DNS for Command and Control

Authors:

Christian J. Dietrich,

Norbert PohlmannAuthors Info & Claims

EC2ND '11: Proceedings of the 2011 Seventh European Conference on Computer Network Defense

Pages 9 - 16

https://doi.org/10.1109/EC2ND.2011.16

Published: 06 September 2011 Publication History

Abstract

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.

Cited By

View all

Moure-Garrido MCampo CGarcia-Rubio CIgartua Mde la Cruz Llopis LBegin T(2022)Detecting Malicious Use of DoH Tunnels Using Statistical Traffic AnalysisProceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks10.1145/3551663.3558605(25-32)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3551663.3558605
Joback Shing Alperin KGomez Jorgensen Elkin (2020)A Statistical Approach to Detecting Low-Throughput Exfiltration through the Domain Name System ProtocolProceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security10.1145/3477997.3478007(1-10)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3477997.3478007
De SBarik MBanerjee IHansdah RKrishnaswamy DVaidya N(2019)A percolation-based recovery mechanism for bot infected P2P cloudProceedings of the 20th International Conference on Distributed Computing and Networking10.1145/3288599.3295597(474-479)Online publication date: 4-Jan-2019
https://dl.acm.org/doi/10.1145/3288599.3295597
Show More Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, ...
DGA-based botnets detection using DNS traffic mining
Abstract
Botnet is a network of infected workstations that are remotely managed by BotMaster via the command and control (C&C) server. Botnets pose a serious threat to network security since they are the source of a variety of malicious behaviors such as ...
A method for identifying compromised clients based on DNS traffic analysis

DNS is widely abused by Internet criminals in order to provide reliable communication within malicious network infrastructure as well as flexible and resilient hosting of malicious content. This paper presents a novel detection method that can be used ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

EC2ND '11: Proceedings of the 2011 Seventh European Conference on Computer Network Defense

September 2011

58 pages

ISBN:9780769547626

Publisher

IEEE Computer Society

United States

Publication History

Published: 06 September 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Moure-Garrido MCampo CGarcia-Rubio CIgartua Mde la Cruz Llopis LBegin T(2022)Detecting Malicious Use of DoH Tunnels Using Statistical Traffic AnalysisProceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks10.1145/3551663.3558605(25-32)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3551663.3558605
Joback Shing Alperin KGomez Jorgensen Elkin (2020)A Statistical Approach to Detecting Low-Throughput Exfiltration through the Domain Name System ProtocolProceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security10.1145/3477997.3478007(1-10)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3477997.3478007
De SBarik MBanerjee IHansdah RKrishnaswamy DVaidya N(2019)A percolation-based recovery mechanism for bot infected P2P cloudProceedings of the 20th International Conference on Distributed Computing and Networking10.1145/3288599.3295597(474-479)Online publication date: 4-Jan-2019
https://dl.acm.org/doi/10.1145/3288599.3295597
Brooks RYu LFu YHambolu OGaynard JOwono JYepmou ABlanc F(2018)Internet freedom in West AfricaCommunications of the ACM10.1145/319947761:5(72-82)Online publication date: 24-Apr-2018
https://dl.acm.org/doi/10.1145/3199477
Zhauniarovich YKhalil IYu TDacier M(2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3191329
Hao SKantchelian AMiller BPaxson VFeamster NWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)PREDATORProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978317(1568-1579)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978317
Buczak AHanke PCancro GToma MWatkins LChavis JTrien JProwell SGoodall JBridges R(2016)Detection of Tunnels in PCAP Data by Random ForestsProceedings of the 11th Annual Cyber and Information Security Research Conference10.1145/2897795.2897804(1-4)Online publication date: 5-Apr-2016
https://dl.acm.org/doi/10.1145/2897795.2897804
Anagnostopoulos MKambourakis GGritzalis S(2016)New facets of mobile botnetInternational Journal of Information Security10.1007/s10207-015-0310-015:5(455-473)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.1007/s10207-015-0310-0
Hands NYang BHansen RSettle ASteinbach TBoisvert D(2015)A Study on Botnets Utilizing DNSProceedings of the 4th Annual ACM Conference on Research in Information Technology10.1145/2808062.2808070(23-28)Online publication date: 29-Sep-2015
https://dl.acm.org/doi/10.1145/2808062.2808070
Shue CKalafut A(2013)Resolvers RevealedACM Transactions on Internet Technology10.1145/2499926.249992812:4(1-17)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1145/2499926.2499928
Show More Cited By

Abstract

Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

DGA-based botnets detection using DNS traffic mining

A method for identifying compromised clients based on DNS traffic analysis

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations