An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Martin Fejrskov Andersen; Jens Myrup Pedersen; Leon Böck; Emmanouil Vasilomanolakis

doi:10.1109/CNS53000.2021.9705029

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Martin Fejrskov Andersen, Jens Myrup Pedersen, Leon Böck, Emmanouil Vasilomanolakis

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

223 Downloads (Pure)

Abstract

Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

Original language	English
Title of host publication	2021 IEEE Conference on Communications and Network Security, CNS 2021
Number of pages	9
Publisher	IEEE
Publication date	10 Feb 2022
Pages	164-172
ISBN (Print)	9781665444972
ISBN (Electronic)	9781665444965
DOIs	https://doi.org/10.1109/CNS53000.2021.9705029
Publication status	Published - 10 Feb 2022
Event	IEEE Conference on Communications and Network Security - Tempe, United States Duration: 4 Oct 2021 → 6 Oct 2021 https://doi.org/10.1109/CNS53000.2021

Conference

Conference	IEEE Conference on Communications and Network Security
Country/Territory	United States
City	Tempe
Period	04/10/2021 → 06/10/2021
Internet address	https://doi.org/10.1109/CNS53000.2021

Keywords

Botnet
DNS
NetFlow
detection
encryption

Access to Document

10.1109/CNS53000.2021.9705029

IP_Generation_Algorithm (32)Accepted author manuscript, 709 KB

AUB Link

Search for the material in Aalborg University Library's search engine

Cite this

@inproceedings{d4fece335dda4914b7700700cd2e2ce8,

title = "An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records",

abstract = "Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set. ",

keywords = "Botnet, DNS, NetFlow, detection, encryption",

author = "Andersen, {Martin Fejrskov} and Pedersen, {Jens Myrup} and Leon B{\"o}ck and Emmanouil Vasilomanolakis",

year = "2022",

month = feb,

day = "10",

doi = "10.1109/CNS53000.2021.9705029",

language = "English",

isbn = "9781665444972",

pages = "164--172",

booktitle = "2021 IEEE Conference on Communications and Network Security, CNS 2021",

publisher = "IEEE",

address = "United States",

note = "IEEE Conference on Communications and Network Security, CNS ; Conference date: 04-10-2021 Through 06-10-2021",

url = "https://doi.org/10.1109/CNS53000.2021",

}

Andersen, MF, Pedersen, JM, Böck, L & Vasilomanolakis, E 2022, An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records. in 2021 IEEE Conference on Communications and Network Security, CNS 2021. IEEE, pp. 164-172, IEEE Conference on Communications and Network Security, Tempe, Arizona, United States, 04/10/2021. https://doi.org/10.1109/CNS53000.2021.9705029

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records. / Andersen, Martin Fejrskov; Pedersen, Jens Myrup; Böck, Leon et al.
2021 IEEE Conference on Communications and Network Security, CNS 2021. IEEE, 2022. p. 164-172.

Research output: Contribution to book/anthology/report/conference proceeding › Article in proceeding › Research › peer-review

TY - GEN

T1 - An uneven game of hide and seek

T2 - IEEE Conference on Communications and Network Security

AU - Andersen, Martin Fejrskov

AU - Pedersen, Jens Myrup

AU - Böck, Leon

AU - Vasilomanolakis, Emmanouil

PY - 2022/2/10

Y1 - 2022/2/10

N2 - Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

AB - Botnets frequently use DGA and fast-flux techniques to ensure the availability of their command and control (CnC) infrastructure. However, the CnC IP addresses are still exposed in plain-text in publicly available DNS A records, which can be exploited by defenders to disrupt botnet operations. This paper presents the concept of the IP Generation Algorithm (IGA) as a novel method, usable by botmasters, to encrypt the CnC IP address in DNS records to avoid plain-text IP address exposure. This raises the bar for blacklisting malicious IP addresses, and can also be combined with existing techniques to further harden the CnC. For use by defenders, an IGA botnet detection method based on the combination of DNS and NetFlow data is presented and validated using an emulated botnet and an ISP data set.

KW - Botnet

KW - DNS

KW - NetFlow

KW - detection

KW - encryption

UR - http://www.scopus.com/inward/record.url?scp=85125662222&partnerID=8YFLogxK

U2 - 10.1109/CNS53000.2021.9705029

DO - 10.1109/CNS53000.2021.9705029

M3 - Article in proceeding

SN - 9781665444972

SP - 164

EP - 172

BT - 2021 IEEE Conference on Communications and Network Security, CNS 2021

PB - IEEE

Y2 - 4 October 2021 through 6 October 2021

ER -

An uneven game of hide and seek: Hiding botnet CnC by encrypting IPs in DNS records

Abstract

Conference

Keywords

Access to Document

AUB Link

Other files and links

Fingerprint

Detecting malware and cyber attacks using ISP data

Cite this