Winning with DNS Failures: Strategies for Faster Botnet Detection Conference Paper uri icon


  • Botnets such as Conficker and Torpig utilize high entropy domains for fluxing and evasion. Bots may query a large number of domains, some of which may fail. In this paper, we present techniques where the failed domain queries (NXDOMAIN) may be utilized for: (i) Speeding up the present detection strategies which rely only on successful DNS domains. (ii) Detecting Command and Control (C&C) server addresses through features such as temporal correlation and information entropy of both successful and failed domains. We apply our technique to a Tier-1 ISP dataset obtained from South Asia, and a campus DNS trace, and thus validate our methods by detecting Conficker botnet IPs and other anomalies with a false positive rate as low as 0.02%. Our technique can be applied at the edge of an autonomous system for real-time detection. 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.

published proceedings

  • Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering

altmetric score

  • 3

author list (cited authors)

  • Yadav, S., & Reddy, A.

citation count

  • 58

complete list of authors

  • Yadav, Sandeep||Reddy, AL Narasimha

editor list (cited editors)

  • Rajarajan, M., Piper, F., Wang, H., & Kesidis, G.

publication date

  • November 2012