DGA-Based Botnet Detection Using DNS Traffic
Yong-lin Zhou
1
, Qing-shan Li
2
, Qidi Miao
3∗
, and Kangbin Yim
4
1
Computer Emergency Response Team, Beijing 100029, China
zyl@cert.org.cn
2
MoE Key Lab. of Network and Software Security Assurance of Peking University
Beijing 100871, China
liqs@infosec.pku.edu.cn
3
Software college, Northeastern University, Shenyang 110819, China
qidi miao@126.com
4
Soonchunhyang University, Asan 336745, Republic of Korea
yim@sch.ac.kr
Abstract
In recent years, an increasing number of botnets use Domain Generation Algorithms (DGAs) to by-
pass botnet detection systems. DGAs, also referred as “domain fluxing”, has been used since 2004
for botnet controllers, and now become an emerging trend for malware. It can dynamically and fre-
quently generate a large number of random domain names which are used to prevent security systems
from detecting and blocking. In this paper, we present a new technique to detect DGAs using DNS
NXDomain traffic. Our insight is that every domain name in the domain group generated by one
botnet using DGAs is often used for a short period of time, and has similar live time and query style.
We look for this pattern in DNS NXDomain traffic to filter out algorithmically generated domains
that DGA-based botnets generate. We implemented our protosystem and carry outexperiment at a
pilot RDNS of an Internet operator. The results show that our method is of good effectiveness on
detecting algorithmically generated domains used by botnet.
Keywords: Domain Generation Algorithms, Domain fluxing, Domain names, NXDOMAIN
1 Introduction
The Domain Name System (DNS) is a critical component of the Internet infrastructure, mainly used to
translate domain name to IP address. Currently most network services and applications rely on DNS.
The domain name system does not distinguish the services between normal and malicious.
Botnets are composed of lots of malware-compromised machines which can be controlled through a
command and control(C&C) communication channel[3]. Using botnets, the attacker can implement lots
of malicious activities like stealing private info, spamming, phishing, DDoS attack, etc. According to the
white paper published by Arbor Networks, botnets became one of the most threats to current Internet.
To bypass detection and blocking, enhance self-survival ability, and prolong lifetime, many botnets
use DNS to organize and control. Previous used techniques include Dynamic DNS and fast flux, but
recent botnets such as Conficker[2], Kraken[4, 5], Torpig[6], Srizbi and Bobax, introduced Domain
Generation Algorithms into their command-and-control module. Domain Generation Algorithms is a
technique, used by botnet to generate a large set of domain names but merely a small subset being used.
Current detection of DGAs mainly focused on domain name alphanumeric characters. Because of
the difference between different DGAs and easy to change domain generate algorithms, Botnet can
Journal of Inter net Services and Information Security (JISIS), volume: 3, number: 3/4, pp. 116-123
∗
Corresponding author: No.11 Wenhualu Heping district, Shenyang, Liaoning Province, China, 110819, Tel: +86-
15504022631
116