September 29, 2017 to October 3, 2017
Fairmont San Jose
US/Pacific timezone

Detecting DGA Botnets Using DNS Traffic

Sep 30, 2017, 11:30 AM
Regency 2 Ballroom (Fairmont San Jose)

Regency 2 Ballroom

Fairmont San Jose

170 S Market Street, San Jose, 95113, CA, USA
Standard Presentation Public Workshop Public Workshop


Dr Han Zhang (Salesforce)


Cyber security constitutes one of the most serious threats to the current society, costing billions of dollars each year. Botnets is a very important way to perform many attacks. In botnets, the botmaster and bots exchange information through C&C channels, which can be implemented using many protocols. HTTP-based botnets are very common as they are easy to implement and maintain. To improve the resiliency of HTTP-based botnets, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. In particular, hundreds or thousands of domains can be algorithmically generated every day, but the botmaster only registers one or a few of them as C&C domains and publishes the commands there. DGA technique evades static blacklists, avoids single point of failure, and also prevents security specialists from registering the C&C domain before the botmaster. There are four reasons to detect DGA botnets using DNS traffic. First, the DGA bots have to send DNS queries to look up the IP addresses of C&C domains. Second, the amount of DNS traffic is much less than the overall traffic. Focusing on a relatively small amount of traffic helps to improve performance, making it possible to detect bots in real time. Third, the DNS traffic of DGA bots has different patterns compared to legitimate hosts. For example, DGA bots send more DNS queries than legitimate hosts. Last, if we can detect bots only using DNS traffic when they look for C&C domains, we can stop the attacks even before they happen. In this work, we introduce BotDigger, a system that detects an individual bot by only using DNS traffic collected from a single network. This single network can be a company network, a university network, or a local area network (LAN). Notice that “detecting individual bot in a network” does not mean BotDigger cannot detect all the bots in a network. If there are multiple bots in the same network, BotDigger can still detect them, but individually. BotDigger uses a chain of evidences, including quantity evidence, linguistic evidence, and temporal evidence to detect bots. We evaluate BotDigger with two datasets from Colorado State University and NetSec research lab, as well as two DGA-based botnets. The results show that BotDigger detects more than 99.8% of the bots with less than 0.5% false positives. We have deployed BotDigger at multiple universities and enterprises, including Colorado State University, University of Southern California/ISI, Los Alamos National Lab, and Northrop Grumman. BotDigger is open source and available at GitHub, network administrators at any enterprise can easily deploy BotDigger and detect bots in real-time. In this presentation, we will first talk about DGA botnets. Then, we will discuss why we use DNS traffic to detect DGA botnets and compare BotDigger with other related work. After that, we will describe the methodology of BotDigger, followed by discussions of our deployment at various networks.
Talk Duration 30 Minutes

Primary author

Dr Han Zhang (Salesforce)


Calvin Ardi (University of Southern California/ISI) Prof. Christos Papadopoulos (Colorado State University) Prof. John Heidemann (University of Southern California/ISI)

Presentation materials