University of Twente Student Theses


Catching Flux-networks in the open

Kokkelkoren, R. (2019) Catching Flux-networks in the open.

[img] PDF
Abstract:The Domain Name System (DNS) protocol is one of the core protocols of the Internet which is used to map human-readable names into machine-readable IP addresses. The flexibility and broad implementation of the DNS protocol lead to alternative uses of the protocol such as provide load-balancing, high availability and performance services. Both malicious and benign networks, such as Content Delivery Networks, widely use these features to improve reliability and availability. The malicious variant of these networks are named flux-networks, and malicious actors use it for a wide range of malicious activities. These networks are known to use the DNS protocol properties to increase the difficulty in nullifying these malicious networks. Various studies exist in the literature that use detection methodologies to detect these types of networks. In recent years a novel platform for active DNS measurements was established called OpenINTEL, this platform gathers DNS records of around 60% of the global DNS namespace and stores the records in a continuously updated unique large-scale data set. This data set has lead to novel insights for a varying range of topics such as the insight into the use of cloud mail platforms, measuring exposure of DDoS protection services , and more. Moreover, we want to study if it can also improve flux-network detection. In this thesis, we present a methodology for identifying flux-networks that clusters the data records from OpenINTEL and uses a known malicious ground-truth for the identification of malicious networks. Our methodology is an adaptation of the work by Perdisci et al. streamlined to work with OpenINTEL data. Using our detection application, we analyze every DNS record in OpenINTEL for the year 2017 for the Netherlands TLD. Our results highlight that it is possible to implement a detection methodology for the OpenINTEL data set. This detection methodology did result in the identification of a total of 97.285 malicious networks. The dimensionality of OpenINTEL is significantly larger than previous studies, but the detection methodology did not result in the identification of actual flux-networks. We found that the lack of limiting the analysis to a single TLD or to the fact that OpenINTEL only gathers 2-level domain names may impede detection. Our case study shows that the guilty-by-association techniques used to label networks as flux-networks can affect detection accuracy. This commonly used technique in flux-network detection may, therefore, have to be revisited to improve existing solutions.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Keywords:aDNS, pDNS, OpenINTEL, Flux-networks, Domain-flux, IP-flux
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page