Good guys vs. Bot Guise: Mimicry attacks against fast-flux detection systems

In this paper, we explore the escalating “arms race” between fast-flux (FF) botnet detectors and the botmasters´ effort to subvert them, and investigate several novel mimicry-attack techniques that allow botmasters to avoid detection. We first analyze the state-of-art FF detectors and their effectiveness against the current botnet threat, demonstrating how botmasters can - with their current resources - thwart detection strategies. Based on the realistic assumptions inferred from empirically observed trends, we create formal models for bot decay, online availability, DNS-advertisement strategies and performance, allowing us to demonstrate the effectiveness of different mimicry attacks and evaluate their effects on the overall online availability and capacity of botnets.