TU Darmstadt / ULB / TUbiblio

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Fejrskov, Martin ; Pedersen, Jens Myrup ; Böck, Leon ; Vasilomanolakis, Emmanouil (2021)
An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records.
IEEE Conference on Communications and Network Security. Tempe, AZ, USA (04.10.2021-06.10.2021)
doi: 10.1109/CNS53000.2021.9705029
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2021
Autor(en): Fejrskov, Martin ; Pedersen, Jens Myrup ; Böck, Leon ; Vasilomanolakis, Emmanouil
Art des Eintrags: Bibliographie
Titel: An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records
Sprache: Englisch
Publikationsjahr: Oktober 2021
Ort: Tempe, AZ, USA
Verlag: IEEE
Veranstaltungstitel: IEEE Conference on Communications and Network Security
Veranstaltungsort: Tempe, AZ, USA
Veranstaltungsdatum: 04.10.2021-06.10.2021
DOI: 10.1109/CNS53000.2021.9705029
Kurzbeschreibung (Abstract):

Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Telekooperation
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CRISP - Center for Research in Security and Privacy
Hinterlegungsdatum: 29 Jun 2023 07:51
Letzte Änderung: 05 Jul 2024 08:13
PPN: 509237274
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen
OAI 2.0-Basis-URL: https://tubiblio.ulb.tu-darmstadt.de/cgi/oai2 TUbiblio verwendet EPrints 3.
Drucken | Impressum | Datenschutzerklärung