An FPGA System for Detecting Malicious DNS Network Traffic - Advances in Digital Forensics VII
Conference Papers Year : 2011

An FPGA System for Detecting Malicious DNS Network Traffic

Abstract

Billions of legitimate packets traverse computer networks every day. Unfortunately, malicious traffic also traverses these same networks. An example is traffic that abuses the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels or control botnets. This paper describes the TRAPP-2 system, an extended version of the Tracking and Analysis for Peer-to-Peer (TRAPP) system, which detects BitTorrent and Voice over Internet Protocol (VoIP) traffic. TRAPP-2 is designed to detect a DNS packet, extract the packet payload, compare the data against a hash list and, if the packet is suspicious, log it for future analysis. Results show that the TRAPP-2 system captures 91.89% of DNS packets of interest under a 93.7% network load (937 Mbps). Also, as the hash list size is increased from 1,000 to 131,072,000 unique items, each doubling of the hash list size results in a mean increase of approximately 16 CPU cycles. These results demonstrate the ability of TRAPP-2 to detect traffic of interest under a saturated network load while maintaining large hash lists.
Fichier principal
Vignette du fichier
978-3-642-24212-0_15_Chapter.pdf (451.11 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01569565 , version 1 (27-07-2017)

Licence

Identifiers

Cite

Brennon Thomas, Barry Mullins, Gilbert Peterson, Robert Mills. An FPGA System for Detecting Malicious DNS Network Traffic. 7th Digital Forensics (DF), Jan 2011, Orlando, FL, United States. pp.195-207, ⟨10.1007/978-3-642-24212-0_15⟩. ⟨hal-01569565⟩
141 View
191 Download

Altmetric

Share

More