Finding Fast Flux Traffic in DNS Haystack

Abstract

Fast-Flux (FF), a technique to associate hostname to multiple IP addresses, has been used by cybercriminals to hide their botnet server responsible for its anonymity and resiliency. The operation FF network service, often used for a phishing campaign and propagate malware to attack critical infrastructure, is quite similar to the operation of the Content Delivery Network (CDN) service, making it more challenging differentiating between the two services. In this research, the authors present a case study of how FF operate and can be detected in Internet Service Provider (ISP) network infrastructure, a high volume of DNS traffic was collected over the five months and analyzed by extracting several DNS features and feed into K-means clustering to distinguish between these two services. During the experiment, the authors show that utilizing web service content as one of the elements can differentiate between the two services with a purity value of 0.922.