DNS agility leads to botnet detection
Online criminals have evolved their tactics to harden their botnets against takedown using a variety of tactics, including fast-flux networks and Conficker-like dynamic domain generation. Yet, such tactics can also pinpoint when such networks are being created by bot operators, according to research from the Georgia Institute of Technology.
The research found that dynamically detecting changes in the domain name system (DNS) can lead to the early detection of botnets. When bot masters create the infrastructure for a botnet, the reputation of the domain names can tip off defenders. In two papers, one released last year (PDF) and one to be published in September, GATech researchers found that they can detect anomalies in the domain name system indicative of botnets and have documented recognition rates greater than 98 percent.
Monday, network security firm Damballa announced a service based on the research to provide intelligence on botnet-infected systems. Called FirstAlert, the service can detect the characteristic DNS queries indicative of botnet infections inside a customer's network.