GFlux: A google-based system for Fast Flux detection

Fast Flux Networks (FFNs) are a technique used by botnets rapidly change the IP addresses associated with botnet infrastructure and spam websites by adopting mechanisms similar to those used in Content Distribution Networks (CDNs) and Round Robin DNS Systems (RRDNS). In this work we present a novel approach, called GFlux, for fast flux detection. GFlux analyzes result pages returned by the Google search engine for queries consisting of IP addresses associated with suspect domain names. We base the Gflux approach on the observation that the number of hits returned by Google for queries associated with FFNs domains should generally be much lower than those associated with legitimate domains, particularly those used by CDNs. Our preliminary results show that number of hits provides a key feature that can aid with accurately classifying domain names as either fast flux domains and non-fast-flux domains.