DNS Resolution Traffic Analysis Applied to Bot Detection
Ronan Mouchoux 🗣
This presentation aims to explain how works MalwareTrap, a DNS resolution traffic analysis platform deployed into a major French company’s network. MalwareTrap was created to complete internal anti-malwares protections. It constantly listens to the internal DNS resolution traffic between workstations and Internal DNS. When it spots a DNS request for a domain name considered by MalwareTrap as a security threat, the internal DNS replies not the domain name’s real IP but the IP of the MalwareTrap’s entry point. The suspicious workstation then talks to MalwareTrap as if it were the server behind the domain name.