Efficient Malicious Packet Capture Through Advanced DNS Sinkhole

Abstract

Among the current botnet countermeasures, DNS sinkhole is known as the best practice in the world. This technique prevents a cyberattack by cutting off the communication between a command and control (C&C) server and zombie PCs (malicious bots). In particular, the characteristics of malicious bots and suspicious URLs can be analyzed, using the malicious packets collected from a DNS Sinkhole system. For this, technology advancement is required to analyze the behavior of malicious bots, which has become more intelligent through analysis on the operation and current situations of conventional DNS sinkholes. Therefore, this study attempted to analyze and improve the limitations of a current DNS sinkhole packet collection program (DNS sinkhole server program). After the unification and advancement of the DNS sinkhole server programs which have been developed and operated for different purposes, the ratio of malicious packet capture improved five times, compared to a conventional system. In addition, even though a conventional system has captured only one malicious packet per source IP, the proposed system has made it possible to collect more information on malicious packets by collecting an average of 5.3 malicious packets per source IP.