Date Added: Mar 2011
This paper considers the global IP-usage patterns exhibited by different types of malicious and benign domains, with a focus on single and double fast-flux domains. The authors have developed and deployed a lightweight DNS probing engine, called DIGGER, on 240 PlanetLab nodes spanning 4 continents. Collecting DNS data for over 3.5 months on a plethora of domains, their global vantage points enabled one to identify distinguishing behavioral features between them based on their DNS-query results. To help one analyze the enormous amount of data, they have quantified these features and designed an effective classifier capable of accurately discriminating between different types of domains.