A Survey of Fast Flux Botnet Detection With Fast Flux Cloud Computing

A Survey of Fast Flux Botnet Detection With Fast Flux Cloud Computing

Ahmad Al-Nawasrah (Taibah University, Saudi Arabia), Ammar Ali Almomani (Al-Balqa Applied University, Jordan), Samer Atawneh (College of Computing and Informatics, Saudi Electronic University, Saudi Arabia) and Mohammad Alauthman (Department of Computer Science, Faculty of Information Technology, Zarqa University, Jordan)
Copyright: © 2020 |Pages: 37
DOI: 10.4018/IJCAC.2020070102


A botnet refers to a set of compromised machines controlled distantly by an attacker. Botnets are considered the basis of numerous security threats around the world. Command and control (C&C) servers are the backbone of botnet communications, in which bots send a report to the botmaster, and the latter sends attack orders to those bots. Botnets are also categorized according to their C&C protocols, such as internet relay chat (IRC) and peer-to-peer (P2P) botnets. A domain name system (DNS) method known as fast-flux is used by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain names over time. Several methods have been suggested to detect fast-flux domains. However, these methods achieve low detection accuracy, especially for zero-day domains. They also entail a significantly long detection time and consume high memory storage. In this survey, we present an overview of the various techniques used to detect fast-flux domains according to solution scopes, namely, host-based, router-based, DNS-based, and cloud computing techniques. This survey provides an understanding of the problem, its current solution space, and the future research directions expected.
Article Preview

1. Introduction

Networks of compromised pcs remotely controlled by attackers are the foundation of various cyber threats to cloud environments, including distributed denial-of-service (DDoS) attacks, identity theft, phishing and spam (Al-Fayoumi et al., 2019; Alauthaman et al., 2018; Alauthman et al., 2020; Almomani et al., 2018; Almomani et al., 2015; Almomani, Wan, et al., 2013; Alomari et al., 2016; Alomari et al., 2014; Barford et al., 2007; Dagon et al., 2008; Fabian et al., 2007; Grizzard et al., 2007; Gu et al., 2008; B. Gupta, 2011; Karasaridis et al., 2007; Levy et al., 2005; Rajab et al., 2006).

Fast flux networks (FFNs) are a unique form of a botnet that criminals use to give high availability and flexibility for their malicious websites, in the same way as roundrobin domain names (RRDNS) and content delivery networks (CDNs) (Alieyan et al., 2015). Botnet writers disguise their malicious activities and design new tactics and mechanisms to hide their communications. One method is the IP fast-flux, which is a mechanism that frequently changes IP addresses corresponding to a unique domain name. Another method is the domain flux, which is a mechanism that automatically and periodically generates domain names related to a URL of a C&C server (Alieyan et al., 2019; Zou et al., 2018). FFNs ' key concept is to use bot pcs as proxies (flux agents) to forward user queries to backend servers called “motherships”.

These rapid changes in proxy IP addresses is crucial to avoid detection and prospective shutdown and guarantee high availability for that backend servers. FFNs are regarded as a fresh growth in spam campaign operation and leadership. In addition to campaigns, spammers send thousands of emails containing interesting product or service advertisements (e.g., pharmaceutical, adult content, and phishing) to users’ email inboxes (Al-Duwairi et al., 2014). These advertisements generally contain hyperlinks of malicious websites for the campaigns. Until recently, only a single static IP address is related to a website for a certain period; such characteristic provides security defenders with the chance to take down that website. According to FFNs, the domain name of a malicious website points to more than one IP address (FF-agents), which is frequently and rapidly changing.

According to (Kalige et al., 2012), HTTP botnets are considered dangerous because they attack and exploit systems. Current HTTP botnets use the strongest techniques to perform attacks. An example is the Asprox botnet, which has affected about 3.5 billion computers in the United States. The Asprox botnet uses an advanced double fast-flux, called the hydra fast-flux, as its main technique (Al-Bataineh et al., 2012). This technique renders the efforts to take down C&C serves useless. Additional details are presented in Subsection 2.3.

The Cost of CyberCrime study Study (Enterprise, 2015) points out that notes that 252 benchmarked organisations have an annualized average cost of $7.7 million a year. The study also demonstrates that either a botnet or a web-based attack performs or supports these exploits, and fast-flux is used as an avoidance method to provide accessibility and resilience.

The report mentions that the most dangerous cyber-crimes are those caused by denial of services (DoS) and web-based attacks. The fast-flux evasion technique has been widely used in botnets and web-based botnets to carry out DoS and other attacks (e.g., phishing and spam), with fast-flux serving as the backbone C&C communication between the compromised computers and the mothership/malicious website.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 11: 4 Issues (2021): Forthcoming, Available for Pre-Order
Volume 10: 4 Issues (2020): 3 Released, 1 Forthcoming
Volume 9: 4 Issues (2019)
Volume 8: 4 Issues (2018)
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing