Rapid Change To Attack The Network Research

"Fast-flux" refers to rapidly assign different IP addresses to the same domain name. The network using fast-flux is called as fast-flux network or fast-flux service network (FFAN). Thus this technology is originally used in the large-scale and heavy-load network, such as fox.com. However, attackers begin to use fast-flux network to construct a number of illegal networks, and hide the real control center, the motherships. The misused fast-flux network is called fast-flux attack network (FFAN). Due to benign FFSN and FFAN hold a lot of common ground and similarities, currently there is no effective way to distinguish them.In this dissertation, we observe and analyse the fast-flux network on three different levels to find out an effective identification scheme. The major innovative work of this dissertation is as follows:1. Focusing on DNS records, this dissertation observed some FFAN in practice Internet. This dissertation describes in detail the existing measurement methods, and then uses some numerical metrics to observe and analyse some benign FFSN and FFAN. Finally based on the observation result, we propose some new trends and changes about the FFAN.2. Focusing on the quality of service, this dissertation presents a new FFAN identification method. With the previous identification methods are focused on DNS records, our method is based upon the quality of serice of the agents in the network to identify. This method firstly monitors all the agents in the netowork for 24 hours, then computer two metric we proposed based upon the agents'lifespan, and finally determines whether the monitored domain is FFAN.3. Focusing on the service content, this dissertation summarizes the homepage change frequency of FFAN, and presents the malware variants identification based on byte frequency. Commanly the FFAN is used to host some illegal content, such as malware spreading, illegal web sites and spam. Due to the FFAN has a short lifetime, usually about two weeks, the service content in FFAN has some specific characteristics.According to available papers, this is the first time to observe and analyse the FFAN from the quality of service and services content. Through the methods proposed in this dissertation, we can effectively identify FFAN and stop it.