Abstract

Recent reports on Internet security have indicated that the DNS (Domain Name System) protocol is being used for botnet communication in various botnets; in particular, botnet communication based on DNS TXT record type has been observed as a new technique in some botnet-based cyber attacks. One of the most fundamental Internet protocols, the DNS protocol is used for basic name resolution as well as many Internet services, so it is not possible to simply block out all DNS traffic. To block out only malicious DNS TXT record based botnet communications, it would be necessary to distinguish them from legitimate DNS traffic involving DNS TXT records. However, the DNS TXT record is also used in many legitimate ways since this type is allowed to include any plain text up to a fairly long length. In this paper, we mainly focus on the usage of the DNS TXT record and explain our analysis using about 5.5 million real DNS TXT record queries obtained for over 3 months in our campus network. Based on the analysis findings, we discuss a new method to detect botnet communication. Our analysis results show that 330 unique destination IP addresses (cover approximately 22.1% of unknown usages of DNS TXT record queries) may have been involved in malicious communications and this proportion is a reasonable basis for network administrators to perform detailed manual checking in many organizations.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.