Attacks on computer networks are an all too familiar event, leaving operators with little choice but to deploy a myriad of monitoring devices to ensure dependable and stable service on the networks they operate. However, as networks grow bigger and faster, staying ahead of the constant deluge of attack traffic is becoming increasingly difficult. A case in point is the attacks on enterprise name servers that interact with the Domain Name System (DNS). These name servers are critical infrastructure, busily translating human readable domain names to IP addresses. DNS is a hotbed of malicious activity, and when properly monitored, it can offer invaluable information about network attacks and malicious activity.
This project furthers our collective understanding of the growing abuse of enterprise name servers whereby infected clients (bots) use automated domain-name generation algorithms to bypass network defenses. More specifically, a framework for accurately identifying bots upon seeing only a handful of unique lookups is developed based on sequential hypothesis testing. The integration of NetFlow records, with novel their indexing data-structures, delivers even deeper insight into aberrant traffic. A live deployment of the system demonstrates the utility of this approach and provides the opportunity for interactively querying the recorded forensic information.