DNS method for detecting bot-merger
Oleh Savenko, Serhii Lysenko, Kira BobrovnikovaThe developed DNS-based method for botnets detection that is based on the property of the synchronous coordinated activity of infected hosts in DNS-traffic, which is based on the analysis of TTL-periods that were obtained in DNS-responses, and considers atypical for a normal user behaviors that are inherent of many types of botnets: ignoring of the TTL-period, the implementation of DNS-requests outside the local DNS servers and the increased number of empty DNS-responses with error code NXDOMAIN (domain name does not exist) was presented. The results of experiments that were conducted to verify the effectiveness of the proposed method are presented. The method allows to perform the detection at the initial stage of infection in the network and to detect unknown bots