| Summary: | 碩士 === 國立雲林科技大學 === 資訊管理系碩士班 === 100 === Fast-Flux Service Networks (FFSN) derives from Round-Robin DNS. RR-DNS is a method of choosing a resource for a task from a list of available resources, usually for the purposes of load balancing. FFSN is similar to RR-DNS, but there have some differentials that the list of available resources is come from the victim hosts, and those victim hosts are used to protect phishing sites, malicious sites and spam server by hackers. In the past, the research usually focused on “To DNS query a specific domain, and finding the difference between each results of DNS query”, the result of detection will easily be influenced by the network environment, and the time of detection may be increased. In this thesis, we use the nmap to scan host’s port in specific domain, to calculate the discrepancy between each hosts, and to determine the FFSN domain (high differentiate) and the benign domain (low differentiate), in addition, we use another FFSN feature “The standard deviation of DNS query time”, if the standard deviation are higher than threshold, then it is a FFSN domain, if it not, it is a benign domain. We combine this two FFSN feature, and then we get a high accuracy. We also analyze this two FFSN feature about their detection speed, we find that the feature “differentiate of each host’s port” is not the same with the past’s research, it do not need to wait for TTL time, it’s average of complete the detection is about 47 seconds, and the past’s research is more than 100 seconds. “Differentiate of each host’s port” is not only decreasing the time of detection, but also keep the accuracy higher.
|
|---|
