After describing passive botnet detection techniques by inspecting packet and flow records analysis, in this blog entry we will describe how to use passive DNS (Domain Name System) analysis techniques to detect botnets in a network.
Before describing the passive DNS analysis techniques, we must keep in mind why botnet use this service. The main characteristic that botnets have is the capacity of its members or bots to communicate with the command and control servers (C&C) or with other bots. This way, the members of the malicious network can obtain new instructions and updates. To establish this connection, botnet developers mainly have two options: use fixed IP addresses which are established on a code level within the malware, or the use of domain names, which are fixed or generated via DGA algorithms.
-Botnet detection techniques-
The use of domain names offers a greater flexibility to developers as opposed to the option of fixed IPs. A domain can be associated to multiple IPs, complicating the detection of suspicious activity in a network.
This feature can be taken to the extreme if techniques such as Fast-Flux are used, through which a domain resolves different IPs depending on the moment in which the petition is made, which enables the decentralization of the C&C servers and complicates the work of the investigators trying to unravel the structure of the botnet and thereby assess the best strategy to dismantle it. By changing the IP of the destination of the bots' connections made more difficult the detection of anomalous behaviour from network flow analysis systems. On the other hand, these malicious domains are technically easy to block both globally by domain registrers, and locally by DNS server operators.
On the other hand, the use of fixed IPs by the malware can avoid its detection through the use of DNS based techniques. However, by always using the same IPs in its communications, it's easier to detect through techniques such as flow analysis, which subsequently can be easily blocked by network rules.
-Evolution of Botnet C&C (opendns.com)-
Following are some examples of Botnet detection through DNS-based approaches:
1) Failed DNS requests (NXDOMAIN)
Studies such as "Winning with DNS Failures: Strategies for Faster Botnet Detection" show that a way of detecting potential malware threats belonging to a botnet is the statistical analysis of failed DNS resolution requests as the domains used by the botnets aren't registered, such as C&C.
Botnets such as Conficker or Torpig use low entropy domains to avoid their detection, in other words the use of each of the domains isn't very likely, meaning it needs a large amount of domains to function and some of these can fail in their resolution.
The response a DNS server gives to a request from a domain that doesn't exist is the following:
- DNS query of a non-existent domain or NXDomain -
2) Monitoring of malicious domains
It consists in monitoring all the requests made to the DNS server and checking that the domain being resolved isn't on any blacklist like DNSBL or RBL. These lists of domains are generated by different organizations such as Spamhaus or SpamRats, and they're a quick and simple way of detecting threats. The problem with this technique is that the botnet must be previously known and its domains registered, if the threat is new or if a botnet is updated with the use of new domains and isn't detected.
3) Domains with low TTLs
Another method used by creators of botnets to hinder their detection is the modification of the IP associated to a domain, a technique known as fast-flux. This way, by changing the destination IP the detection of faults is more difficult. To carry out this change these domains have a very low TTL or time to live, this forces the DNS systems to frequently refresh the resolution cache of the IP associated to the domain, or in the case of a null TTL, not even store it. Therefore, those DNS petitions whose TTL is low are suspicious.
However, this technique generates a many false positives, as there are legitimate systems connected to Internet that use these kinds of techniques that change the IP associated to a domain, such as balancing load in its systems. An example is Google search website which, as can be seen in the following table which shows the resolution of the google.com domain, return different IPs in short periods of time.
4) Detection of abnormal DNS traffic
Besides the previous techniques, there are studies that analyse the detection of botnets depending on others anomalous behaviour of DNS requests. According to these studies, some of the approximations used are:
- Search for domain names whose enquiry rates are abnormally high or that are temporarily concentrated.
- Analysis of similar requests, both temporarily analysing the DNS traffic generated by a same IP or analysing the requests generated by different IPs. The objective is to detect communication patterns between the bots and C&C, which tend to be quite similar.
- DNS server requests from foreign countries can be a clue to suspect the existence of a botnet. Taking away the largest DNS servers, such as Google, if someone from a given country makes requests to DNS servers from other countries it can be a sign of suspicious behaviour.
- Analysis of addresses that are requested for their resolution, analysing possible patterns, percentages of numeric characters or the inclusion of recognizable words, given that attackers aren't worried about their domain names being easy to remember.
- Analysis with TCP as the transport protocol for enquiries, given that its use tends to be residual it can be an indicator of anomalous behaviour.