An FPGA System for Detecting Malicious DNS Network Traffic

Abstract : Billions of legitimate packets traverse computer networks every day. Unfortunately, malicious traffic also traverses these same networks. An example is traffic that abuses the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels or control botnets. This paper describes the TRAPP-2 system, an extended version of the Tracking and Analysis for Peer-to-Peer (TRAPP) system, which detects BitTorrent and Voice over Internet Protocol (VoIP) traffic. TRAPP-2 is designed to detect a DNS packet, extract the packet payload, compare the data against a hash list and, if the packet is suspicious, log it for future analysis. Results show that the TRAPP-2 system captures 91.89% of DNS packets of interest under a 93.7% network load (937 Mbps). Also, as the hash list size is increased from 1,000 to 131,072,000 unique items, each doubling of the hash list size results in a mean increase of approximately 16 CPU cycles. These results demonstrate the ability of TRAPP-2 to detect traffic of interest under a saturated network load while maintaining large hash lists.
Document type :
Conference papers
Complete list of metadatas

Cited literature [15 references]  Display  Hide  Download

https://hal.inria.fr/hal-01569565
Contributor : Hal Ifip <>
Submitted on : Thursday, July 27, 2017 - 8:22:36 AM
Last modification on : Friday, December 1, 2017 - 1:16:42 AM

File

978-3-642-24212-0_15_Chapter.p...
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Brennon Thomas, Barry Mullins, Gilbert Peterson, Robert Mills. An FPGA System for Detecting Malicious DNS Network Traffic. 7th Digital Forensics (DF), Jan 2011, Orlando, FL, United States. pp.195-207, ⟨10.1007/978-3-642-24212-0_15⟩. ⟨hal-01569565⟩

Share

Metrics

Record views

131

Files downloads

250