[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection
Victor Julien
victor at inliniac.net
Mon Mar 19 15:14:51 UTC 2012
On 02/29/2012 10:21 AM, Kevin Ross wrote:
> As fast flux more and more used
> http://www.damballa.com/press/2012_02_28PR.php and if you look at
> samples in the sandnet such as e2d5d6ce50cf0a6b816e0f2aa7c35970
> (W32/Shiz) you will see SID 2008470 (ET DNS Excessive NXDOMAIN responses
> - Possible DNS Backscatter or Fast Flux DNS Lookups) detects it. However
> this detection method while it works does have FPs.
>
> If however a preprocessor detecting the NXDOMAIN responses where most
> (or all of them) are unique then that would reliably detect fast flux
> (perhaps by checking if the last domain in the NXDOMAIN response is the
> same as this one, if it is then you don't have fast flux, if it is then
> move on with the increment till you declare fast flux). So rather than a
> host doing lots of requests for the same domain or a few triggering the
> sig if you see behaviour like e2d5d6ce50cf0a6b816e0f2aa7c35970 where it
> is moving through the generated domains then you reliably have fast flux
> detection.
>
> I believe with more malware moving to fast flux (which vendors seems to
> call stealthy but seeing how much fast flux triggers sid 2008470 it
> lights up like a christmas tree I doubt it); but I think reliable
> detection of fast flux will be important in detecting malware behaviours
> in the network.
I guess the first thing we'd need is a good DNS parser. Anyone
interested in building one?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list