DNS for Massive-Scale Command and Control

Author

Kui Xu ; Butler, Patrick ; Saha, Simanto ; Danfeng Yao

Author_Institution

Dept. of Comput. Sci., Virginia Tech, Blacksburg, VA, USA

Volume

10

Issue

3

fYear

2013

fDate

May-June 2013

Firstpage

143

Lastpage

153

Abstract

Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channel. We describe and quantitatively analyze several techniques that can be used to effectively hide malicious DNS activities at the network level. Our experimental evaluation makes use of a two-month-long 4.6-GB campus network data set and 1 million domain names obtained from alexa.com. We conclude that the DNS-based stealthy command-and-control channel (in particular, the codeword mode) can be very powerful for attackers, showing the need for further research by defenders in this direction. The statistical analysis of DNS payload as a countermeasure has practical limitations inhibiting its large-scale deployment.

Keywords

Internet; command and control systems; computer network security; statistical analysis; DNS; DNS payload; DNS-based stealthy command-and-control channel; botnet controllers; campus network data set; domain name service; large-scale deployment; malicious DNS activities; massive-scale command and control; statistical analysis; stealthy botnet command-and-control channel; stealthy messaging systems; Command and control systems; IP networks; Libraries; Payloads; Protocols; Servers; Tunneling; DNS security; Network security; and command and control; botnet detection;

fLanguage

English

Journal_Title

Dependable and Secure Computing, IEEE Transactions on

Publisher

ieee

ISSN

1545-5971

Type

jour

DOI

10.1109/TDSC.2013.10

Filename

6461889