Fast-flux is a Domain Name System(DNS)technique used by botnets to organise compromised hosts into a high-availability,loadbalancing network that is similar to Content Delivery Networks(CDNs).Fast-Flux Service Networks(FFSNs)are usually used as proxies of phishing websites and malwares,and hide upstream servers that host actual content.In this paper,by analysing recursive DNS traffic,we develop a fast-flux domain detection method which combines both real-time detection and long-term monitoring.Experimental results demonstrate that our solution can achieve significantly higher detection accuracy values than previous flux-score based algorithms,and is light-weight in terms of resource consumption.We evaluate the performance of the proposed fast-flux detection and tracking solution during a 180-day period of deployment on our university’s DNS servers.Based on the tracking results,we successfully identify the changes in the distribution of FFSN and their roles in recent Internet attacks.
展开▼