An FPGA-Based Malicious DNS Packet Detection Tool

Billions and billions of packets traverse government and military networks every day. Often, these packets have legitimate destinations such as buying a book at amazon. com or downloading open source code using a File Transfer Protocol program. Unfortunately, the past few years have seen a massive increase in malicious, illegal, and suspicious traffic. One example is abusing the Domain Name System (DNS) protocol to exfiltrate sensitive data, establish backdoor tunnels, or control botnets. To counter this abuse and provide better incident detection, a physical hardware system is under development to detect these suspicious DNS packets. The system is constructed on a Xilinx Virtex-II Pro Field Programmable Gate Array (FPGA) and is based on a system originally developed to detect BitTorrent and Voice over Internet Protocol packets of interest. The first iteration prototype is limited in both processing speed (300 MHz) and by a 100 Mbps Ethernet interface. Despite the hardware shortfalls, preliminary experiments are promising for the system. The system inspects each packet, determines if it is a DNS packet, compares the first four characters of the lowest level domain against a DNS whitelist, and if the domain is not allowed, logs it for further analysis. The first experiment resulted in 100% malicious packet detection under an 88 Mbps network utilization. In the experiment, 50 malicious DNS packets were sent at one second intervals while the network was flooded with NetBIOS traffic. The second experiment resulted in an average of 91% malicious packet detection under an 88.7 Mbps network utilization. In the experiment, 2000 malicious DNS packets were sent as fast as possible while the network was flooded with non-malicious DNS traffic. For both experiments, DNS whitelist sizes of 1K, 10K, and 100K were used. Future work will focus on transferring the system to the Virtex-5 FPGA which contains a 550 MHz processor and a 1 Gbps Ethernet interface. In addition, the DNS whitelist size will be increased until the system fails to detect 50% of packets of interest. The goal is to determine if the system can be scaled to gigabit network speeds while also handling larger DNS whitelist sizes. The system seeks to aid network defenders in identifying and tracking malicious DNS packets traversing government networks while also providing better incident response awareness.