This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
DNS for Massive-Scale Command and Control
May-June 2013 (vol. 10 no. 3)
pp. 143-153
Kui Xu, Virginia Tech, Blacksburg
Patrick Butler, Virginia Tech, Blacksburg
Sudip Saha, Virginia Tech, Blacksburg
Danfeng Yao, Virginia Tech, Blacksburg
Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channel. We describe and quantitatively analyze several techniques that can be used to effectively hide malicious DNS activities at the network level. Our experimental evaluation makes use of a two-month-long 4.6-GB campus network data set and 1 million domain names obtained from >alexa.com. We conclude that the DNS-based stealthy command-and-control channel (in particular, the codeword mode) can be very powerful for attackers, showing the need for further research by defenders in this direction. The statistical analysis of DNS payload as a countermeasure has practical limitations inhibiting its large-scale deployment.
Index Terms:
Servers,Protocols,Command and control systems,Libraries,Tunneling,IP networks,Payloads,and command and control,Network security,DNS security,botnet detection
Citation:
Kui Xu, Patrick Butler, Sudip Saha, Danfeng Yao, "DNS for Massive-Scale Command and Control," IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 3, pp. 143-153, May-June 2013, doi:10.1109/TDSC.2013.10
Usage of this product signifies your acceptance of the Terms of Use.