Fast Flux Watch: A mechanism for online detection of fast flux networks

Fast flux networks represent a special type of botnets that are used to provide highly available web services to a backend server, which usually hosts malicious content. detection of fast flux networks continues to be a challenging issue because of the similar behavior between these networks and other legitimate infrastructures, such as cdns and server farms. this paper proposes fast flux watch (ff-watch), a mechanism for online detection of fast flux agents. ff-watch is envisioned to exist as a software agent at leaf routers that connect stub networks to the internet. the core mechanism of ff-watch is based on the inherent feature of fast flux networks: flux agents within stub networks take the role of relaying client requests to point-of-sale websites of spam campaigns. the main idea of ff-watch is to correlate incoming tcp connection requests to flux agents within a stub network with outgoing tcp connection requests from the same agents to the point-of-sale website. theoretical and traffic trace driven analysis shows that the proposed mechanism can be utilized to efficiently detect fast flux agents within a stub network.