< #CCpower Only Scam? | New Storm Campaign: Amero >

Fast-Flux Data

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:
  • storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

  • asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

  • lookups-ff: dig lookups for fast-flux domains, confirmed manually

  • lookups-spam: dig lookups for various domains found in spam e-mails

  • lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

  • lookups-ndss: part of the domains used for the NDSS paper

  • lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)
This entry was posted by Thorsten Holz on Wednesday, July 16. 2008 at 23:57. and is filed under general, honeynets, malware, paper. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Zonghua Zhang says:
    #1 2008-07-17 05:09 (Reply)

    Thanks a lot for your sharing. I have read that NDSS paper and did get something useful from that. The data published here will surely stimulate some people's interests. I would like to have a try :-). Thanks a lot !


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.