计算机工程 ›› 2018, Vol. 44 ›› Issue (12): 184-189,195.doi: 10.19678/j.issn.1000-3428.0047965

• 安全技术 • 上一篇    下一篇

基于Fast-Flux的DNS异常行为分析

李骜骋1,2,王峥1   

  1. 1.南京烽火软件科技有限公司,南京 210019; 2.武汉邮电科学研究院,武汉 430074
  • 收稿日期:2017-07-14 出版日期:2018-12-15 发布日期:2018-12-15
  • 作者简介:李骜骋(1993—),女,硕士研究生,主研方向为网络安全;王峥,高级工程师。

Analysis of DNS Anomalous Behaviors Based on Fast-Flux

LI Aocheng 1,2,WANG Zheng 1   

  1. 1.Nanjing FiberHome Software Science and Technology Co.,Ltd.,Nanjing 210019,China; 2.Wuhan Research Institute of Posts and Telecommunications,Wuhan 430074,China
  • Received:2017-07-14 Online:2018-12-15 Published:2018-12-15

摘要:

研究基于Fast-Flux域名系统(DNS)报文的异常行为,并分析僵尸网络的工作特点,依据大量DNS报文的数据,了解Fast-Flux的攻击特性,找到Fast-Flux攻击的具体特征,识别出DNS流量中的异常数据。通过对DNS数据的综合分析,区分Fast-Flux和频繁更换IP的大型网站,给出Fast-Flux报文存活时间较短、时间差分布平均、请求频繁、IP池等特征,并提出一种报文筛选的算法。分析结果证明,与传统僵尸网络检测方法相比,在报文正确率相同的情况下,该算法实现更加简单,可以准确形容Fast-Flux的攻击行为。

关键词: Fast-Flux攻击, 僵尸网络, 域名系统, 负载躲避, 载流均衡

Abstract:

This paper studies the abnormal behavior of Fast-Flux based on Domain Name System (DNS) packets,analyzes the working characteristics of botnets,learn the attack characteristics of Fast-Flux based on the data of a large number of DNS packets,and finds out the specific characteristics of Fast-Flux attacks.It identifies anomalous data in DNS traffic.Through comprehensive analysis of DNS data,it distinguishes between Fast-Flux and large IP sites with frequent IP changes,and gives Fast-Flux messages with short Time To Live(TTL),average time difference distribution,frequent requests,IP pool,etc.,and proposes a message screening algorithm.Analysis results show that compared with the traditional botnet detection method,the algorithm is simpler and easier to implement and can exactly the describe the Fast-Fulx attack behavior when the message correct rate is the same situation.

Key words: Fast-Flux attack, Botnet, Domain Name System(DNS), load avoidance, current-carrying balance

中图分类号: