Fast-flux bot detection in real time

Ching Hsiang Hsu*, Chun-Ying Huang, Kuan Ta Chen

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

35 Scopus citations


The fast-flux service network architecture has been widely adopted by bot herders to increase the productivity and extend the lifespan of botnets' domain names. A fast-flux botnet is unique in that each of its domain names is normally mapped to different sets of IP addresses over time and legitimate users' requests are handled by machines other than those contacted by users directly. Most existing methods for detecting fast-flux botnets rely on the former property. This approach is effective, but it requires a certain period of time, maybe a few days, before a conclusion can be drawn. In this paper, we propose a novel way to detect whether a web service is hosted by a fast-flux botnet in real time. The scheme is unique because it relies on certain intrinsic and invariant characteristics of fast-flux botnets, namely, 1) the request delegation model, 2) bots are not dedicated to malicious services, and 3) the hardware used by bots is normally inferior to that of dedicated servers. Our empirical evaluation results show that, using a passive measurement approach, the proposed scheme can detect fast-flux bots in a few seconds with more than 96% accuracy, while the false positive/negative rates are both lower than 5%.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings
Number of pages20
StatePublished - 19 Nov 2010
Event13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010 - Ottawa, ON, Canada
Duration: 15 Sep 201017 Sep 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6307 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
CityOttawa, ON


  • Botnet
  • Document fetch delay
  • Internet measurement
  • Processing delay
  • Request delegation
  • Supervised classification

Fingerprint Dive into the research topics of 'Fast-flux bot detection in real time'. Together they form a unique fingerprint.

Cite this