research-article

DNS for Massive-Scale Command and Control

Authors:

Kui Xu,

Patrick Butler,

Sudip Saha,

Danfeng (Daphne) YaoAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 10, Issue 3

Pages 143 - 153

https://doi.org/10.1109/TDSC.2013.10

Published: 01 May 2013 Publication History

Abstract

Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channel. We describe and quantitatively analyze several techniques that can be used to effectively hide malicious DNS activities at the network level. Our experimental evaluation makes use of a two-month-long 4.6-GB campus network data set and 1 million domain names obtained from >alexa.com. We conclude that the DNS-based stealthy command-and-control channel (in particular, the codeword mode) can be very powerful for attackers, showing the need for further research by defenders in this direction. The statistical analysis of DNS payload as a countermeasure has practical limitations inhibiting its large-scale deployment.

Cited By

View all

Liu GJin LHao SZhang YLiu DStavrou AWang HMontpetit MLeivadeas AUhlig SJaved M(2023)Dial "N" for NXDomain: The Scale, Origin, and Security Implications of DNS Queries to Non-Existent DomainsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624805(198-212)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624805
Žiža KTadić PVuletić P(2023)DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviourInternational Journal of Information Security10.1007/s10207-023-00723-w22:6(1865-1880)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1007/s10207-023-00723-w
Moure-Garrido MCampo CGarcia-Rubio CIgartua Mde la Cruz Llopis LBegin T(2022)Detecting Malicious Use of DoH Tunnels Using Statistical Traffic AnalysisProceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks10.1145/3551663.3558605(25-32)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3551663.3558605
Show More Cited By

Recommendations

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

In this paper, we present FluxBuster, a novel passive DNS traffic analysis system for detecting and tracking malicious flux networks. FluxBuster applies large-scale monitoring of DNS traffic traces generated by recursive DNS (RDNS) servers located in ...
Issues and challenges in DNS based botnet detection: A survey
Abstract
Cybercrimes are evolving on a regular basis and as such these crimes are becoming a greater threat day by day. Earlier these threats were very general and unorganized. In the last decade, these attacks have become highly sophisticated ...
On Botnets That Use DNS for Command and Control
EC2ND '11: Proceedings of the 2011 Seventh European Conference on Computer Network Defense

We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware ...

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 10, Issue 3

May 2013

67 pages

ISSN:1545-5971

Issue’s Table of Contents

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 May 2013

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liu GJin LHao SZhang YLiu DStavrou AWang HMontpetit MLeivadeas AUhlig SJaved M(2023)Dial "N" for NXDomain: The Scale, Origin, and Security Implications of DNS Queries to Non-Existent DomainsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624805(198-212)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624805
Žiža KTadić PVuletić P(2023)DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviourInternational Journal of Information Security10.1007/s10207-023-00723-w22:6(1865-1880)Online publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1007/s10207-023-00723-w
Moure-Garrido MCampo CGarcia-Rubio CIgartua Mde la Cruz Llopis LBegin T(2022)Detecting Malicious Use of DoH Tunnels Using Statistical Traffic AnalysisProceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks10.1145/3551663.3558605(25-32)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3551663.3558605
Lyu MGharakheili HSivaraman V(2022)A Survey on DNS Encryption: Current Development, Malware Misuse, and Inference TechniquesACM Computing Surveys10.1145/354733155:8(1-28)Online publication date: 13-Jul-2022
https://dl.acm.org/doi/10.1145/3547331
Xie XNiu WZhang XRen ZLuo YLi J(2019)Co-Clustering Host-Domain Graphs to Discover Malware InfectionProceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing10.1145/3358331.3358380(1-6)Online publication date: 17-Oct-2019
https://dl.acm.org/doi/10.1145/3358331.3358380
Vetterl AClayton RRossow CYounan Y(2018)Bitter harvestProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307432(9-9)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307432
Zhu FYun YWei JKang BWang YKim DLi PXu HWang R(2018)A Reflective Covert Channel Attack Anchored on Trusted Web ServicesWeb Services – ICWS 201810.1007/978-3-319-94289-6_6(84-99)Online publication date: 25-Jun-2018
https://dl.acm.org/doi/10.1007/978-3-319-94289-6_6
Kedrowitsch AYao DWang GCameron KMultari NSinghal AMiler E(2017)A First LookProceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense10.1145/3140368.3140371(15-22)Online publication date: 3-Nov-2017
https://dl.acm.org/doi/10.1145/3140368.3140371
Hao SWang H(2017)Exploring Domain Name Based Features on the Effectiveness of DNS CachingACM SIGCOMM Computer Communication Review10.1145/3041027.304103247:1(36-42)Online publication date: 17-Jan-2017
https://dl.acm.org/doi/10.1145/3041027.3041032
Mohaisen ARen KMohaisen AKui Ren (2017)Leakage of .onion at the DNS RootIEEE/ACM Transactions on Networking10.1109/TNET.2017.271796525:5(3059-3072)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2717965
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

Issues and challenges in DNS based botnet detection: A survey

On Botnets That Use DNS for Command and Control

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations