Detection and Blocking of DGA-based Bot Infected Computers by Monitoring NXDOMAIN Responses
Proc. 7th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud 2020)
Cyberattacks by botnets keep on increasing. In this research, we aim to detect and block Domain Generation Algorithm (DGA)-based bot-infected computers by focusing on the characteristics of domain name resolution for searching the Command Control (CC) servers. The attackers register only few of the DGA-based domain names for the CC servers and make the bot-infected computers search them using DNS domain name resolution for the further instructions. This makes the DNS domain name resolution in CC server searching process inevitably causing NXDOMAIN responses for queries about nonexistence domain names. In this paper, we designed and implemented a detection and blocking system against DGA-based bot-infected computers searching for the CC servers by analyzing the DNS traffic resulted with NXDOMAIN responses. According to the feature evaluation results, we confirmed that the prototype system was effective for multiple types of DGA-based bots thus the approach could be applicable to detect and block the malicious DNS traffic from the bot-infected computers at the early stage.
- DOI : 10.1109/CSCloud-EdgeCom49738.2020.00023
- ISBN : 9781728165509
- SCOPUS ID : 85092292641