[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection

Kevin Ross kevross33 at googlemail.com
Wed Feb 29 09:21:59 UTC 2012

As fast flux more and more used
http://www.damballa.com/press/2012_02_28PR.php and if you look at samples
in the sandnet such as e2d5d6ce50cf0a6b816e0f2aa7c35970 (W32/Shiz) you will
see SID 2008470 (ET DNS Excessive NXDOMAIN responses - Possible DNS
Backscatter or Fast Flux DNS Lookups) detects it. However this detection
method while it works does have FPs.

If however a preprocessor detecting the NXDOMAIN responses where most (or
all of them) are unique then that would reliably detect fast flux (perhaps
by checking if the last domain in the NXDOMAIN response is the same as this
one, if it is then you don't have fast flux, if it is then move on with the
increment till you declare fast flux). So rather than a host doing lots of
requests for the same domain or a few triggering the sig if you see
behaviour like e2d5d6ce50cf0a6b816e0f2aa7c35970 where it is moving through
the generated domains then you reliably have fast flux detection.

I believe with more malware moving to fast flux (which vendors seems to
call stealthy but seeing how much fast flux triggers sid 2008470 it lights
up like a christmas tree I doubt it); but I think reliable detection of
fast flux will be important in detecting malware behaviours in the network.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120229/6eb84ae5/attachment-0002.html>

More information about the Oisf-devel mailing list