Fast Flux Service Network Detection via Data Mining on Passive DNS Traffic

TL;DR

This paper presents a passive DNS traffic analysis method for detecting fast flux service networks in real-time, demonstrating high accuracy and low false positives in enterprise network experiments.

Contribution

It introduces a novel data mining-based detection algorithm that effectively identifies fast flux domains with improved performance over previous methods.

Findings

High detection accuracy with low false positive rate

Successful identification of notorious FFSNs Dark Cloud and SandiFlux

Significant performance improvement over prior approaches

Abstract

In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.