Detecting Network Anomalies In ISP Network Using DNS And NetFlow

  • Andreas Tedja Swiss German University
  • Charles Lim Swiss German University
  • Heru Purnomo Ipung Swiss German University
DOI: https://doi.org/10.33555/iconiet.v2i3.38
Keywords: Fast flux, DNS, Botnet

Abstract

The Internet has become the biggest medium for people to communicate with other
people all around the world. However, the Internet is also home to hackers with malicious
purposes. This poses a problem for Internet Service Providers (ISP) and its user, since it is
possible that their network is compromised and damages may be done. There are many types of
malware that currently exist on the Internet. One of the growing type of malware is botnet.
Botnet can infect a system and make it a zombie machine capable of doing distributed attacks
under the command of the botmaster. In order to make detection of botnet more difficult,
botmasters often deploy fast flux. Fast flux will shuffle IP address of the domain of the
malicious server, making tracking and detection much more difficult. However, there are still
numerous ways to detect fast flux, one of them is by analysing DNS data. Domain Name System
(DNS) is a crucial part of the Internet. DNS works by translating IP address to its associated
domain name. DNS are often being exploited by hackers to do its malicious activities. One of
them is to deploy fast flux.Because the characteristics of fast flux is significantly different than
normal Internet traffic characteristics, it is possible to detect fast flux from normal Internet
traffic from its DNS information. However, while detecting fast flux services, one must be
cautious since there are a few Internet services which have almost similar characteristics as fast
flux service. This research manages to detect the existence of fast flux services in an ISP
network. The result is that fast flux mostly still has the same characteristics as found on previous
researches. However, current fast flux trend is to use cloud hosting services. The reason behind
this is that cloud hosting services tend to have better performance than typical zombie machine.
Aside from this, it seems like there has been no specific measures taken by the hosting service to
prevent this, making cloud hosting service the perfect medum for hosting botnet and fast flux
services.

Published
2019-02-13
Issue
Vol 2 No 3 (2018): SMART TECHNOLOGY
Section
Articles