Winning With DNS Failures: Strategies for Faster Botnet Detection
Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, the authors present techniques where the failed Non-eXistence domain queries (NXDOMAIN) may be utilized for: speeding up the present detection strategies which rely only on successful DNS domains. Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. They apply their technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate their methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%.