Measuring and Detecting Fast-Flux Service Networks

Thorsten Holz, Christian Gorecki, Konrad Rieck, Felix Freiling

Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2008


We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.


Tags: Botnets, fast-flux