100級-吳沅錄-以連接埠掃描為基礎偵測動態惡意域名服務網路

100級-吳沅錄-以連接埠掃描為基礎偵測動態惡意域名服務網路

[ 摘要 ]
動態惡意域名服務網路Fast-Flux Service Networks (FFSN)源自於一種稱為輪替式網域名稱服務Round-Robin DNS (RR-DNS)的技術。它是一種透過將DNS記錄快速更換,使得網域名稱能夠被快速對應到數個不同的主機,以達到負載平衡的機制。Fast-Flux與RR-DNS相似,然而不同的是,Fast-Flux是將網域名稱快速對應到數個來自殭屍網路(Botnet)的受害電腦設備,並以保護惡意內容網站,如釣魚網站、惡意程式下載站及垃圾郵件內容網站為目的,使惡意攻擊時效得以延長。過去的研究著重於多次對特定網域進行DNS查詢,並找出多次查詢之間的相異之處,然而這樣的作法容易受到網路環境影響,且偵測時間較長。本研究透過掃描網域內的每個主機,並計算各個主機間的連接埠重複程度,藉此來判斷此網域為重複程度低的FFSN惡意網域或重複度高的正常網域,此外,本研究還搭配了過去研究所發現的另一項Fast-Flux之特徵,DNS query time之標準差,並以標準差高於門檻值者判定為FFSN惡意網域,而低於門檻值者則判定為正常網域,以此二特徵搭配作為Fast-Flux之偵測特徵,並得出相當高的精確率。本研究也針對了此二特徵進行偵測速度分析,並得出了使用連接埠重複程度作為FFSN之偵測特徵,不同於過去研究所發現到的特徵必須利用多次查詢,並在每一次查詢之中皆需等候TTL時間經過才能進行下一步驟的特點,它在平均約47秒內便可得出偵測結果,比過去偵測時間動輒約數百秒還快上許多,且在降低偵測時間的同時,亦能維持一定的精確率。

[ 英文摘要 ]
Fast-Flux Service Networks (FFSN) derives from Round-Robin DNS. RR-DNS is a method of choosing a resource for a task from a list of available resources, usually for the purposes of load balancing. FFSN is similar to RR-DNS, but there have some differentials that the list of available resources is come from the victim hosts, and those victim hosts are used to protect phishing sites, malicious sites and spam server by hackers. In the past, the research usually focused on “To DNS query a specific domain, and finding the difference between each results of DNS query”, the result of detection will easily be influenced by the network environment, and the time of detection may be increased. In this thesis, we use the nmap to scan host’s port in specific domain, to calculate the discrepancy between each hosts, and to determine the FFSN domain (high differentiate) and the benign domain (low differentiate), in addition, we use another FFSN feature “The standard deviation of DNS query time”, if the standard deviation are higher than threshold, then it is a FFSN domain, if it not, it is a benign domain. We combine this two FFSN feature, and then we get a high accuracy. We also analyze this two FFSN feature about their detection speed, we find that the feature “differentiate of each host’s port” is not the same with the past’s research, it do not need to wait for TTL time, it’s average of complete the detection is about 47 seconds, and the past’s research is more than 100 seconds. “Differentiate of each host’s port” is not only decreasing the time of detection, but also keep the accuracy higher.