The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May-June (2013 vol.10)
pp: 143-153
Kui Xu , Virginia Tech, Blacksburg
Patrick Butler , Virginia Tech, Blacksburg
Sudip Saha , Virginia Tech, Blacksburg
Danfeng Yao , Virginia Tech, Blacksburg
ABSTRACT
Attackers, in particular botnet controllers, use stealthy messaging systems to set up large-scale command and control. To systematically understand the potential capability of attackers, we investigate the feasibility of using domain name service (DNS) as a stealthy botnet command-and-control channel. We describe and quantitatively analyze several techniques that can be used to effectively hide malicious DNS activities at the network level. Our experimental evaluation makes use of a two-month-long 4.6-GB campus network data set and 1 million domain names obtained from >alexa.com. We conclude that the DNS-based stealthy command-and-control channel (in particular, the codeword mode) can be very powerful for attackers, showing the need for further research by defenders in this direction. The statistical analysis of DNS payload as a countermeasure has practical limitations inhibiting its large-scale deployment.
INDEX TERMS
Servers, Protocols, Command and control systems, Libraries, Tunneling, IP networks, Payloads, and command and control, Network security, DNS security, botnet detection
CITATION
Kui Xu, Patrick Butler, Sudip Saha, Danfeng Yao, "DNS for Massive-Scale Command and Control", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 3, pp. 143-153, May-June 2013, doi:10.1109/TDSC.2013.10
REFERENCES
[1] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, "Exposure: Finding Malicious Domains Using Passive DNS Analysis," Proc. 18th Ann. Network and Distributed System Security Symp. (NDSS), Feb. 2011.
[2] P. Butler, K. Xu, and D. Yao, "Quantitatively Analyzing Stealthy Communication Channels," Proc. Ninth Int'l Conf. Applied Cryptography and Network Security (ACNS '11), pp. 238-254, 2011.
[3] D. Dagon, "Botnet Detection and Response, the Network Is the Infection," Proc. Domain Name System Operations Analysis and Research Center Workshop, 2005.
[4] DeNiSe, http://c0re.23.nu/c0de/snapDeNiSe-snap-20021026. tar.gz , 2013.
[5] C.J. Dietrich, C. Rossow, F.C. Freiling, H. Bos, M. van Steen, and N. Pohlmann, "On Botnets that Use DNS for Command and Control," Proc. European Conf. Computer Network Defense, Sept. 2011.
[6] Yahoo! Anti-Spam Resource Center---DomainKeys, http:// antispam.yahoo.comdomainkeys, 2008.
[7] M.T. Goodrich, R. Tamassia, and D. Yao, "Accredited DomainKeys: A Service Architecture for Improved Email Validation," Proc. Conf. Email and Anti-Spam (CEAS '05), July 2005.
[8] M. Hollander, and D.A. Wolfe, eds., Nonparametric Statistical Methods, second ed. Wiley-Interscience, 1999.
[9] M.V. Horenbeeck, "DNS Tunneling," http://www.daemon.be/maartendnstunnel.html , 2013.
[10] X. Hu, M. Knysz, and K.G. Shin, "Measurement and Analysis of Global IP-Usage Patterns of Fast-Flux Botnets," Proc. 30th Ann. Int'l Conf. Computer Comm. (INFOCOM), 2011.
[11] G. Hunt and D. Brubacher, "Detours: Binary Interception of Win32 Functions," Proc. Third USENIX Windows NT Symp., 1999.
[12] B. Jang, D. Lee, K. Chon, and H. chul Kim, "DNS Resolution with Renewal Using Piggyback," J. Comm. and Networks, vol. 11, no. 4, pp. 416-427, Aug. 2009.
[13] A. Karasaridis, K.S. Meier-Hellstern, and D.A. Hoeflin, "Detection of DNS Anomalies Using Flow Data Analysis," Proc. IEEE GlobeCom, 2006.
[14] E. Kartaltepe, J. Morales, S. Xu, and R. Sandhu, "Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures," Proc. Eighth Int'l Conf. Applied Cryptography and Network Security (ACNS), pp. 511-528, 2010.
[15] L. Lamport, "Password Authentication with Insecure Communication," Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.
[16] J.K. Millen, "Covert Channel Capacity," Proc. IEEE Symp. Security and Privacy, pp. 60-66, 1987.
[17] J.K. Millen, "20 Years of Covert Channel Modeling and Analysis," Proc. IEEE Symp. Security and Privacy, pp. 113-114, 1999.
[18] I. Moskowitz, R.E. Newman, D.P. Crepeau, and A.R. Miller, "Covert Channels and Anonymizing Networks," Proc. ACM Workshop Privacy in the Electronic Soc. (WPES '03), pp. 79-88, 2003.
[19] R.E. Newman, I.S. Moskowitz, P. Syverson, and A. Serjantov, "Metrics for Traffic Analysis Prevention," Proc. Privacy Enhancing Technologies Workshop (PET '03), pp. 48-65, 2003.
[20] G. Ollmann, "Botnet Communication Topologies: Understanding the Intricacies of Botnet Command-and-Control," https://www.damballa.com/downloads/r_pubs WP_Botnet_ Communications_Primer.pdf, 2013.
[21] C.P. Pfleeger, "Crypto: Not Just for the Defensive Team," IEEE Security & Privacy, vol. 8, no. 2, pp. 63-66, Mar.-Apr. 2010.
[22] N. Provos and P. Mavrommatis, "All Your iFRAMES Point to Us," Proc. USENIX Security Symp., 2008.
[23] M.A. Rajab, F. Monrose, A. Terzis, and N. Provos, "Peeking through the Cloud: DNS-Based Estimation and Its Applications," Proc. Sixth Int'l Conf. Applied Cryptography and Network Security (ACNS), S.M. Bellovin, R. Gennaro, A.D. Keromytis, and M. Yung, eds., pp. 21-38, 2008.
[24] Extension Mechanisms for DNS (EDNS0). RFC 2671. http://tools.ietf.org/htmlrfc2671, Aug. 1999.
[25] SCIgen---An Automatic CS Paper Generator, http://pdos.csail. mit.eduscigen/, 2013.
[26] H. Shang and C.E. Wills, "Piggybacking Related Domain Names to Improve DNS Performance," Computer Networks, vol. 50, no. 11, pp. 1733-1748, 2006.
[27] X. Shu and D. Yao, "Data-Leak Detection as a Service," Proc. Eighth Int'l Conf. Security and Privacy in Comm. Networks (SECURECOMM), Sept. 2012.
[28] K. Singh, S. Sangal, N. Jain, P. Traynor, and W. Lee, "Evaluating Bluetooth as a Medium for Botnet Command and Control," Proc. Int'l Conf. Detection of Intrusions Malware Vulnerability Assessment (DIMVA), 2010.
[29] K. Singh, A. Srivastava, J.T. Giffin, and W. Lee, "Evaluating Email's Feasibility for Botnet Command and Control," Proc. IEEE Int'l Conf. Dependable Systems Networks with FTCS and DCC (DSN), pp. 376-385, 2008.
[30] D. Stefan, C. Wu, D. Yao, and G. Xu, "Cryptographic Provenance Verification for the Integrity of Keystrokes and Outbound Network Traffic," Proc. Eighth Int'l Conf. Applied Cryptography and Network Security (ACNS), June 2010.
[31] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your Botnet Is My Botnet: Analysis of a Botnet Takeover," Proc. ACM 16th Conf. Computer and Comm. Security (CCS), Nov. 2009.
[32] R. Villamarín-Salomón and J.C. Brustoloni, "Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic," Proc. IEEE Fifth Consumer Comm. and Networking Conf. (CCNC), 2008.
[33] K. Xu, H. Xiong, D. Stefan, C. Wu, and D. Yao, "Data-Provenance Verification for Secure Hosts," IEEE Trans. Dependable and Secure Computing, vol. 9, no. 2, pp. 173-183, Mar.-Apr. 2012.
[34] K. Xu, D. Yao, Q. Ma, and A. Crowell, "Detecting Infection Onset with Behavior-Based Policies," Proc. Fifth Int'l Conf. Network and System Security (NSS), Sept. 2011.
[35] S. Yadav, A.K.K. Reddy, A.N. Reddy, and S. Ranjan, "Detecting Algorithmically Generated Malicious Domain Names," Proc. 10th Ann. Conf. Internet Measurement (IMC '10), pp. 48-61, 2010.
[36] H. Zhang, W. Banick, D. Yao, and N. Ramakrishnan, "User Intention-Based Traffic Dependence Analysis for Anomaly Detection," Proc. Workshop Semantics and Security (WSCS), May 2012.
67 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool