Fast flux domains and Bro


I was wondering if anyone on the list has any experience using Bro to detect fast flux domains.


I wrote a script quite a few years ago, but I haven't touched it in a long time and it likely won't work right on 2.0. It's a very short script though and could probably be ported fairly easily. It uses the detection technique outlined in this paper:

Someone else had a fast flux detection script at that time too, but I don't know if they still have it floating around anywhere or not. I attached my script to this email. When it's ported to 2.x we can get it into the contributed scripts repository.

dns-fastflux.bro (2.53 KB)

We wrote a few iterations of FF DNS detectors in Bro several years
back. Our paper is here:

   We tried a few different approaches, but the one that worked the
best in the end was based on white/black listing ASNs. Scott may
remember it better than I, as he is further along in his recovery from
newborn baby induced memory loss. Jason Lee has probably the freshest
recollection of approach since he worked on the most recent edit of
the paper.