Check out the new USENIX Web site. next up previous
Next: When The Lights Go Up: A View From Within Previous: Botnet Infiltration.

DNS Redirection.

As an alternative to botnet infiltration, Dagon et al. explored a technique for counting infected bots by manipulating the DNS entry associated with a botnet's IRC server and redirecting connections to a local sinkhole [5]. The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded the IP addresses of those victims. Their results suggest the existence of large botnets with populations up to 350,000 bots. Unfortunately, although this approach allows us to observe the IP addresses of different bots, it has a number of limitations. First, this technique can only measure the botnet's footprint. The reason is that although the sinkhole observes bot connection attempts, it is impossible to know how many live bots are simultaneously connected to the actual server channel. Second, as the sinkhole does not host an actual IRC server, there is no way of knowing if the bots are connecting to the same command and control channel. Finally, as Zou et al. [19] suggest, it is conceivable that botmasters can detect DNS redirection and subsequently redirect their bots to another IRC server thus distorting the estimate provided by this technique.


next up previous
Next: When The Lights Go Up: A View From Within Previous: Botnet Infiltration.
Fabian Monrose 2007-04-03