Based On DNS Records And CART Algorithm To Find Out A Method To Identify Fast-flux Domains And Then Realize It

In recent years,DDOS occurs frequently.Although security departments have adopted a series of defensive strategies,they still can not defend the sudden large scale DDOS attacks.Meanwhile,hackers adopt effective countermeasures,where their technique also evolves constantly and become more complicated.Among these techniques,Fast-flux network technology is used prevalently to build bot nets.With this technology,hackers can grab more bots through malicious domain names registered by them to build high available and large-scale botnet.Attackers could launch DDOS whenever and wherever they want,and not be found by regulators.That how to identify fast-flux domains,then cut off paths attackers used to catch exploits,and gradually minimize the scale of mal-net,is a hot issue in network security.In this thesis,we put forward a method to identify the Fast-flux domains and realize a domain recognition system based on this method.Firstly,we find out these nature characteristics of Fast-flux domain names in their DNS resolutions,which include a domain name maps to many IPs,these IPs located widely,and the cache time of the domain names is very short.Secondly,based on the study of domains' responding time,we proposed an essential characteristic,volatility of responding time,that can differentiate Fast-flux domain names from CDN domain names.Through contrastive analysis of CART algorithm,ID3 algorithm and C4.5 algorithm,indeed,based on the result on the test samples,we conclude that no matter referenced on the recognition speed or the accuracy,CART algorithm is optimal.On the test data set,accuracy of this method is above 84%.With differentiating Fast-flux domain names from CDN domain names,we reduce falseratio furtherly,and the recognition rate reaches 85%.In order to quickly identify one domain name's type,we adopt distributed deployment to build the domain name recognition system to handling the massive data.For the effectiveness of results,the system update its database every three days.This system also provides a good user interactive interface,users can query a domain name's type,then they will see its type,its malicious extent,and the distribution of its IPs in the world-map.