A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks, which may be a malicious task such as sending spam emails or participating in DDoS attacks. Malicious botnets compromise computers whose security defenses have been breached and control ceded to a third party (referred to as a botmaster). Each such compromised device, known as a “bot”, is created when a computer is penetrated by software from a malware (malicious software) distribution. Each bot periodically contacts the controller (referred to as command and control or C&C) of the botnet to receive instructions for carrying out the malicious tasks.
The Domain Name System (DNS) provides an essential naming service that translates human-readable domain names to numerical IP addresses, and vice versa. As a crucial component of the Internet and one of the world's largest distributed systems, DNS has been increasingly abused by adversaries to hide the location of malware servers. In particular, botnets have persistently abused the DNS infrastructure to add resiliency to their command and control (C&C) communication. For instance, in domain-flux techniques, instead of associating a C&C to a single domain name (i.e., a single point of failure), the botmaster registers several domain names and the bots try to resolve the correct ones from these registered multiple domain names using a Domain Generation Algorithm (DGA). An effective top-level domain (eTLD), also known as a public suffix, is the highest level at which a domain may be directly registered for a particular top-level domain. For example, .com, .cn and .co.uk are eTLDs, in which domains (e.g., foo.com, blah.cn and bar.co.uk, respectively) can be directly registered. These directly registered domains (i.e., foo, blah, and bar) are referred to as an effective second-level domain (eSLD) names.
Attempts to detect domain-flux botnets often require disassembling malware binaries for the DGAs, which requires labor-intensive effort and only provides a point solution.