System and method for fast flux detection

US 8,539,577 B1
Filed: 02/26/2009
Issued: 09/17/2013
Est. Priority Date: 06/20/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

querying, over a period of time, a domain name system (DNS) for DNS records associated with a domain name;

receiving, from the DNS over the period of time, the DNS records associated with the domain name;

determining a number of unique parameters that are contained within the DNS records received from the DNS over the period of time;

determining that the domain name is part of a fast flux network of computers based on the number of unique parameters; and

identifying, based on the number of unique parameters, the fast flux network as one or more of;

a single flux network, a double flux network, a top-tier flux network, and a lower-tier flux network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is disclosed herein for detecting fast flux networks. In one embodiment, the method comprises querying a domain name system (DNS) for DNS records associated with a domain. The method further comprises determining whether the domain name is part of a fast flux network of computers from results of the query. The method may further comprise determining the type of fast flux network as one of a single flux network, a double flux network, a top-tier flux network, or a lower-tier flux network.

49 Citations

View as Search Results

22 Claims

1. A method comprising:
- querying, over a period of time, a domain name system (DNS) for DNS records associated with a domain name;
  
  receiving, from the DNS over the period of time, the DNS records associated with the domain name;
  
  determining a number of unique parameters that are contained within the DNS records received from the DNS over the period of time;
  
  determining that the domain name is part of a fast flux network of computers based on the number of unique parameters; and
  
  identifying, based on the number of unique parameters, the fast flux network as one or more of;
  
  a single flux network, a double flux network, a top-tier flux network, and a lower-tier flux network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - logging the domain name when the domain name is determined to be part of a fast flux network.
  - 3. The method of claim 1, further comprising:
    - receiving the domain name as a data feed; and
      
      initiating the querying in response to receiving the data feed.
  - 4. The method of claim 3, wherein the data feed includes a plurality of domain names and DNS records associated with each domain name in the data feed are queried.
  - 5. The method of claim 4, wherein the data feed is a file containing a list of domain names received from a client computer system.
  - 6. The method of claim 5, wherein the data feed is one of a Domain Name Zone Alert (DNZA) data feed, a list of blacklisted domains, or a list of domains extracted from a spare list.
  - 7. The method of claim 1,wherein the domain name is part of a fast flux network when the number of unique parameters over the period of time exceeds one or more thresholds.
  - 8. The method of claim 7, wherein the unique parameters comprise internet protocol (IP) addresses and name servers.
  - 9. The method of claim 7, wherein the domain name is identified as a double flux network when both a top tier flux network threshold and one of a plurality of lower tier flux network thresholds are reached.
  - 10. The method of claim 9, wherein the top tier flux network threshold is based on a Top Level Domain (TLD) Name Server (NS) Address (A) Subnet count over the period of time, and the lower tier flux network thresholds are based on a NS A Subnet count over the period of time, a Domain A Subnet count over the period of time, and a start of authority (SOA) count over the period of time.
  - 11. The method of claim 7, further comprising:
    - extending the period of time when a determination of whether the domain name is part of a fast flux network is not conclusive.
  - 12. The method of claim 7, further comprising:
    - determining that the domain name is part of a legitimate network with when flux is detected, based on the number of unique parameters comprising at least one of a number of unique subuets and a number of autonomous system numbers (ASNs) in which intern et protocol (IP) addresses for the domain occur.

13. A system, comprising:
- one or more memory devices storing instructions; and
  
  one or more processors coupled to the one or more memory devices and configured to execute the instructions to perform a method comprising;
  
  querying, over a period of time, a domain name system (DNS) for DNS records associated with the domain name;
  
  receiving, from the DNS over the period of time, the DNS records associated with the domain name;
  
  determining a number of unique parameters that are contained within the DNS records received from the DNS over the period of time;
  
  determining that the domain name is part of a fast flux network of computers based on the number of unique parameters; and
  
  identifying, based on the number of unique parameters, the fast flux network as one or more of;
  
  a single flux network, a double flux network, a top-tier flux network, and a lower-tier flux network.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13,wherein the domain name is part of a fast flux network when the number of unique parameters over the period of time exceeds one or more thresholds.
  - 15. The system of claim 14,wherein the domain name is identified as a double flux network when both a top tier flux network threshold and one of a plurality of lower tier flux network thresholds are reached.
  - 16. The system of claim 14, wherein the one or more processors are configured to execute the instructions to perform the method further comprising:
    - generating a report indicating that the domain name is a fast flux network.
  - 17. The system of claim 14, wherein the one or more processors are configured to execute the instructions to perform the method further comprising:
    - extending the period of time when determination of whether the domain name is part of a fast flux network is not conclusive.
  - 18. The system of claim 14, wherein the one or more processors are configured to execute the instructions to perform the method further comprising:
    - determining the domain is part of a legitimate network, based on the number of unique parameters comprising at least one of a number of unique subnets and a number of autonomous system numbers (ASNs) in which internet protocol (IP) addresses for the domain occur.
  - 19. The system of claim 13,wherein the domain name is received as part of a data feed.

20. A non-transitory computer readable medium storing instructions thereon which, when executed by a system, cause the system to perform a method comprising:
- querying a domain name system (DNS) for DNS records associated with a domain name;
  
  receiving, from the DNS over the period of time, the DNS records associated with the domain name;
  
  determining a number of unique parameters that are contained within the DNS records received from the DNS over the period of time;
  
  determining that the domain name is part of a fast flux network of computers based on the number of unique parameters; and
  
  identifying, based on the number of unique parameters, the fast flux network as one or more of;
  
  a single flux network, a double flux network, a top-tier flux network, and a lower-tier flux network.
- View Dependent Claims (21, 22)
- - 21. The non-transitory computer readable medium of claim 20,Wherein the domain is part of a fast flux network when the number of unique parameters exceeds one or more thresholds.
  - 22. The non-transitory computer readable medium of claim 20, the method further comprising:
    - receiving the domain name as a data feed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Stewart, David Alexander, Mankin, Ben, Riley, Antony Arthur
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US12/393,913
Time in Patent Office

1,664 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1441   Countermeasures against mal...

System and method for fast flux detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for fast flux detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links