An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Martin Fejrskov Andersen; Jens Myrup Pedersen; Leon Böck; Emmanouil Vasilomanolakis

doi:10.1109/CNS53000.2021.9705029

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Martin Fejrskov Andersen, Jens Myrup Pedersen, Leon Böck, Emmanouil Vasilomanolakis

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

224 Downloads (Pure)

Abstract

Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

Originalsprog	Engelsk
Titel	2021 IEEE Conference on Communications and Network Security, CNS 2021
Antal sider	9
Forlag	IEEE
Publikationsdato	10 feb. 2022
Sider	164-172
ISBN (Trykt)	9781665444972
ISBN (Elektronisk)	9781665444965
DOI	https://doi.org/10.1109/CNS53000.2021.9705029
Status	Udgivet - 10 feb. 2022
Begivenhed	IEEE Conference on Communications and Network Security - Tempe, USA Varighed: 4 okt. 2021 → 6 okt. 2021 https://doi.org/10.1109/CNS53000.2021

Konference

Konference	IEEE Conference on Communications and Network Security
Land/Område	USA
By	Tempe
Periode	04/10/2021 → 06/10/2021
Internetadresse	https://doi.org/10.1109/CNS53000.2021

Adgang til dokumentet

10.1109/CNS53000.2021.9705029

IP_Generation_Algorithm (32)Accepteret manuskript, 709 KB

AUB Link

Søg efter materialet i Aalborg Universitetsbiblioteks søgemaskine

Andre filer og links

Link to publication in Scopus

1 Ph.d.-afhandling

Detecting malware and cyber attacks using ISP data
Andersen, M. F., 2022, Aalborg Universitetsforlag.
Publikation: Ph.d.-afhandling

Åben adgang
Fil

464 Downloads (Pure)

Citationsformater

@inproceedings{d4fece335dda4914b7700700cd2e2ce8,

title = "An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records",

abstract = "Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set. ",

keywords = "Botnet, DNS, NetFlow, detection, encryption",

author = "Andersen, {Martin Fejrskov} and Pedersen, {Jens Myrup} and Leon B{\"o}ck and Emmanouil Vasilomanolakis",

year = "2022",

month = feb,

day = "10",

doi = "10.1109/CNS53000.2021.9705029",

language = "English",

isbn = "9781665444972",

pages = "164--172",

booktitle = "2021 IEEE Conference on Communications and Network Security, CNS 2021",

publisher = "IEEE",

address = "United States",

note = "IEEE Conference on Communications and Network Security, CNS ; Conference date: 04-10-2021 Through 06-10-2021",

url = "https://doi.org/10.1109/CNS53000.2021",

}

Andersen, MF, Pedersen, JM, Böck, L & Vasilomanolakis, E 2022, An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records. i 2021 IEEE Conference on Communications and Network Security, CNS 2021. IEEE, s. 164-172, IEEE Conference on Communications and Network Security, Tempe, Arizona, USA, 04/10/2021. https://doi.org/10.1109/CNS53000.2021.9705029

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records. / Andersen, Martin Fejrskov; Pedersen, Jens Myrup; Böck, Leon et al.
2021 IEEE Conference on Communications and Network Security, CNS 2021. IEEE, 2022. s. 164-172.

Publikation: Bidrag til bog/antologi/rapport/konference proceeding › Konferenceartikel i proceeding › Forskning › peer review

TY - GEN

T1 - An uneven game of hide and seek

T2 - IEEE Conference on Communications and Network Security

AU - Andersen, Martin Fejrskov

AU - Pedersen, Jens Myrup

AU - Böck, Leon

AU - Vasilomanolakis, Emmanouil

PY - 2022/2/10

Y1 - 2022/2/10

N2 - Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

AB - Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

KW - Botnet

KW - DNS

KW - NetFlow

KW - detection

KW - encryption

UR - http://www.scopus.com/inward/record.url?scp=85125662222&partnerID=8YFLogxK

U2 - 10.1109/CNS53000.2021.9705029

DO - 10.1109/CNS53000.2021.9705029

M3 - Article in proceeding

SN - 9781665444972

SP - 164

EP - 172

BT - 2021 IEEE Conference on Communications and Network Security, CNS 2021

PB - IEEE

Y2 - 4 October 2021 through 6 October 2021

ER -

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Abstract

Konference

Adgang til dokumentet

AUB Link

Andre filer og links

Fingeraftryk

Publikation

Detecting malware and cyber attacks using ISP data

Citationsformater