{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T14:11:18Z","timestamp":1760710278064,"version":"3.40.5"},"reference-count":106,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,7,1]]},"abstract":"<p>A botnet refers to a set of compromised machines controlled distantly by an attacker. Botnets are considered the basis of numerous security threats around the world. Command and control (C&amp;C) servers are the backbone of botnet communications, in which bots send a report to the botmaster, and the latter sends attack orders to those bots. Botnets are also categorized according to their C&amp;C protocols, such as internet relay chat (IRC) and peer-to-peer (P2P) botnets. A domain name system (DNS) method known as fast-flux is used by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain names over time. Several methods have been suggested to detect fast-flux domains. However, these methods achieve low detection accuracy, especially for zero-day domains. They also entail a significantly long detection time and consume high memory storage. In this survey, we present an overview of the various techniques used to detect fast-flux domains according to solution scopes, namely, host-based, router-based, DNS-based, and cloud computing techniques. This survey provides an understanding of the problem, its current solution space, and the future research directions expected.<\/p>","DOI":"10.4018\/ijcac.2020070102","type":"journal-article","created":{"date-parts":[[2020,6,11]],"date-time":"2020-06-11T14:29:12Z","timestamp":1591885752000},"page":"17-53","source":"Crossref","is-referenced-by-count":10,"title":["A Survey of Fast Flux Botnet Detection With Fast Flux Cloud Computing"],"prefix":"10.4018","volume":"10","author":[{"given":"Ahmad","family":"Al-Nawasrah","sequence":"first","affiliation":[{"name":"Taibah University, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8808-6114","authenticated-orcid":true,"given":"Ammar Ali","family":"Almomani","sequence":"additional","affiliation":[{"name":"Al-Balqa Applied University, Jordan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7590-7887","authenticated-orcid":true,"given":"Samer","family":"Atawneh","sequence":"additional","affiliation":[{"name":"College of Computing and Informatics, Saudi Electronic University, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0319-1968","authenticated-orcid":true,"given":"Mohammad","family":"Alauthman","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Faculty of Information Technology, Zarqa University, Jordan"}]}],"member":"2432","reference":[{"key":"IJCAC.2020070102-0","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2012.6461004"},{"key":"IJCAC.2020070102-1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jare.2014.01.002"},{"key":"IJCAC.2020070102-2","first-page":"17","article-title":"Intelligent Association Classification Technique for Phishing Website Detection.","author":"M.Al-Fayoumi","year":"2019","journal-title":"The International Arab Journal of Information Technology"},{"key":"IJCAC.2020070102-3","doi-asserted-by":"publisher","DOI":"10.1109\/IACS.2018.8355433"},{"key":"IJCAC.2020070102-4","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-016-2564-5"},{"key":"IJCAC.2020070102-5","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.102479"},{"key":"IJCAC.2020070102-6","doi-asserted-by":"publisher","DOI":"10.1080\/17517575.2019.1644673"},{"key":"IJCAC.2020070102-7","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-015-2128-0"},{"key":"IJCAC.2020070102-8","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-016-2531-1"},{"key":"IJCAC.2020070102-9","doi-asserted-by":"publisher","DOI":"10.4018\/IJCAC.2018040105"},{"key":"IJCAC.2020070102-10","doi-asserted-by":"publisher","DOI":"10.1007\/s10586-018-02891-0"},{"key":"IJCAC.2020070102-11","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.030713.00020"},{"key":"IJCAC.2020070102-12","doi-asserted-by":"publisher","DOI":"10.17485\/ijst\/2015\/v8iS9\/55320"},{"issue":"3","key":"IJCAC.2020070102-13","first-page":"169","article-title":"An enhanced online phishing e-mail detection framework based on evolving connectionist system.","volume":"9","author":"A.Almomani","year":"2013","journal-title":"International Journal of Innovative Computing, Information, & Control"},{"key":"IJCAC.2020070102-14","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-5225-0105-3.ch003"},{"key":"IJCAC.2020070102-15","doi-asserted-by":"publisher","DOI":"10.1109\/ICACT.2014.6779162"},{"key":"IJCAC.2020070102-16","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-44599-1_8"},{"key":"IJCAC.2020070102-17","first-page":"172","author":"G.Bottazzi","year":"2015","journal-title":"A Survey on Financial Botnets Threat. In Global Security, Safety and Sustainability: Tomorrow\u2019s Challenges of Cyber Security"},{"key":"IJCAC.2020070102-18","unstructured":"Buhariwala, K. (2011). Geo-locating Hidden Servers Behind Fast-Flux Proxies."},{"key":"IJCAC.2020070102-19","unstructured":"Burghouwt, P. (2015). Detection of Botnet Command and Control Traffic in Enterprise Networks: TU Delft, Delft University of Technology."},{"issue":"2","key":"IJCAC.2020070102-20","first-page":"390","article-title":"Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness.","volume":"25","author":"D.Cafuta","year":"2018","journal-title":"Tehnicki Vjesnik (Strojarski Fakultet)"},{"key":"IJCAC.2020070102-21","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2010.81"},{"key":"IJCAC.2020070102-22","doi-asserted-by":"publisher","DOI":"10.1109\/CATCH.2009.44"},{"key":"IJCAC.2020070102-23","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644915"},{"key":"IJCAC.2020070102-24","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC.2013.6755058"},{"key":"IJCAC.2020070102-25","doi-asserted-by":"publisher","DOI":"10.7763\/JACN.2013.V1.30"},{"issue":"2","key":"IJCAC.2020070102-26","first-page":"262273","article-title":"Detecting hybrid botnets with web command and control servers or fast flux domain.","volume":"5","author":"C. M.Chen","year":"2014","journal-title":"Journal of Information Hiding and Multimedia Signal Processing"},{"key":"IJCAC.2020070102-27","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-21881-1_47"},{"key":"IJCAC.2020070102-28","unstructured":"Committee. (2014). Subcommittee on Crime and Terrorism."},{"key":"IJCAC.2020070102-29","first-page":"1","author":"Y.Emre","year":"2011","journal-title":"A literature survey about recent botnet trends"},{"key":"IJCAC.2020070102-30","unstructured":"HP Enterprise. (2015). 2015 Cost of Cyber Crime Study: Global. Retrieved from http:\/\/engage.hpe.com\/LP_510004609_HPSW-ESP_WW_EN-US_PonemonGate"},{"key":"IJCAC.2020070102-31","unstructured":"Fabian, M., & Terzis, M. A. (2007). My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. Paper presented at the1st USENIX Workshop on Hot Topics in Understanding Botnets. Academic Press."},{"journal-title":"Fraud the Facts 2015: The definitive overview of payment industry fraud and measures to prevent it","year":"2015","key":"IJCAC.2020070102-32"},{"key":"IJCAC.2020070102-33","doi-asserted-by":"publisher","DOI":"10.1109\/CC.2013.6674213"},{"key":"IJCAC.2020070102-34","unstructured":"Gasster, L. (2008). GNSO issues report on fast flux hosting. Retrieved from https:\/\/gnso.icann.org\/sites\/default\/files\/filefield_5868\/gnso-issues-report-fast-flux-25mar08.pdf"},{"key":"IJCAC.2020070102-35","doi-asserted-by":"publisher","DOI":"10.3844\/ajassp.2012.531.534"},{"key":"IJCAC.2020070102-36","unstructured":"Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B., & Dagon, D. (2007). Peer-to-peer botnets: Overview and case study. Paper presented at the1st USENIX Workshop on Hot Topics in Understanding Botnets. Academic Press."},{"key":"IJCAC.2020070102-37","doi-asserted-by":"crossref","unstructured":"Gr\u017eni\u0107, T., Perho\u010d, D., Mari\u0107, M., Vla\u0161i\u0107, F., & Kulcsar, T. (2014). CROFlux\u2014Passive DNS method for detecting fast-flux domains. Paper presented at the 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). Academic Press.","DOI":"10.1109\/MIPRO.2014.6859782"},{"key":"IJCAC.2020070102-38","unstructured":"Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008). BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. Paper presented at theUSENIX Security Symposium. Academic Press."},{"key":"IJCAC.2020070102-39","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN.2018.8487410"},{"journal-title":"An Introduction to DDoS Attacks and Defense Mechanisms: An Analyst\u2019s Handbook","year":"2011","author":"B.Gupta","key":"IJCAC.2020070102-40"},{"key":"IJCAC.2020070102-41","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-5225-8407-0"},{"key":"IJCAC.2020070102-42","doi-asserted-by":"publisher","DOI":"10.4018\/IJCAC.2017010101"},{"key":"IJCAC.2020070102-43","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-4666-6559-0.ch008"},{"key":"IJCAC.2020070102-44","doi-asserted-by":"publisher","DOI":"10.1145\/2808062.2808070"},{"key":"IJCAC.2020070102-45","unstructured":"Holz, T., Gorecki, C., Rieck, K., & Freiling, F. C. (2008). Measuring and Detecting Fast-Flux Service Networks. Paper presented at the NDSS. Academic Press."},{"key":"IJCAC.2020070102-46","unstructured":"Horng-Tzer, W., Ching-Hao, M., Kuo-Ping, W., & Hahn-Ming, L. (2012). Real-Time Fast-Flux Identification via Localized Spatial Geolocation Detection. Paper presented at the2012 IEEE 36th Annual Computer Software and Applications Conference. IEEE Press."},{"key":"IJCAC.2020070102-47","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15512-3_24"},{"key":"IJCAC.2020070102-48","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2014.2358814"},{"key":"IJCAC.2020070102-49","doi-asserted-by":"publisher","DOI":"10.1145\/1755688.1755702"},{"key":"IJCAC.2020070102-50","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.35"},{"key":"IJCAC.2020070102-51","doi-asserted-by":"publisher","DOI":"10.17706\/jcp.12.4.371-379"},{"key":"IJCAC.2020070102-52","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2010.5762763"},{"key":"IJCAC.2020070102-53","unstructured":"Kalige, E., & Burkey, D. (2012). A case study of eurograbber: How 36 million euros was stolen via malware. Versafe."},{"key":"IJCAC.2020070102-54","unstructured":"Karasaridis, A., Rexroad, B., & Hoeflin, D. (2007). Wide-scale botnet detection and characterization. Paper presented at theUsenix Workshop on Hot Topics in Understanding Botnets. Academic Press."},{"key":"IJCAC.2020070102-55","doi-asserted-by":"publisher","DOI":"10.1631\/jzus.C1300242"},{"key":"IJCAC.2020070102-56","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.130"},{"key":"IJCAC.2020070102-57","unstructured":"Konings, M. (2009). Final report of the gnso fast flux hosting working group: Internet Corporation for Assigned Names and Numbers\u2013Generic Names Supporting."},{"key":"IJCAC.2020070102-58","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2019.05.002"},{"key":"IJCAC.2020070102-59","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2015.12.008"},{"journal-title":"Botnet detection: countering the largest security threat","year":"2007","author":"W.Lee","key":"IJCAC.2020070102-60"},{"key":"IJCAC.2020070102-61","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.58"},{"key":"IJCAC.2020070102-62","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2012.07.017"},{"key":"IJCAC.2020070102-63","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99136-8_25"},{"journal-title":"Estimating the Global Cost of Cybercrime. McAfee","year":"2014","author":"N.Losses","key":"IJCAC.2020070102-64"},{"key":"IJCAC.2020070102-65","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2011.5958005"},{"journal-title":"Dissecting operation high roller","year":"2012","author":"R.S.Marcus","key":"IJCAC.2020070102-66"},{"key":"IJCAC.2020070102-67","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2013.6596093"},{"key":"IJCAC.2020070102-68","unstructured":"Trend Micro. (2014). New Zeus Gameover Employs DGA and Fast Flux Techniques. Retrieved from https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/spam\/578\/new-zeus-gameover-employs-dga-and-fast-flux-techniques"},{"key":"IJCAC.2020070102-69","unstructured":"Otgonbold, T. (2014). ADAPT: An anonymous, distributed, and active probing-based technique for detecting malicious fast-flux domains. Iowa State University. Retrieved from https:\/\/lib.dr.iastate.edu\/etd\/14225"},{"key":"IJCAC.2020070102-70","doi-asserted-by":"crossref","unstructured":"Pa, Y. M. P., Yoshioka, K., & Matsumoto, T. (2015). Detecting malicious domains and authoritative name servers based on their distinct mappings to IP addresses. Journal of information processing, 23(5), 623-632.","DOI":"10.2197\/ipsjjip.23.623"},{"key":"IJCAC.2020070102-71","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2009.090404"},{"key":"IJCAC.2020070102-72","first-page":"186","author":"E.Passerini","year":"2008","journal-title":"Fluxor: Detecting and monitoring fast-flux service networks. In Detection of intrusions and malware, and vulnerability assessment"},{"key":"IJCAC.2020070102-73","doi-asserted-by":"publisher","DOI":"10.1109\/INDICON.2014.7030393"},{"key":"IJCAC.2020070102-74","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.36"},{"issue":"5","key":"IJCAC.2020070102-75","first-page":"714","article-title":"Early detection of malicious flux networks via large-scale passive DNS traffic analysis.","volume":"9","author":"R.Perdisci","year":"2012","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"IJCAC.2020070102-76","doi-asserted-by":"publisher","DOI":"10.4028\/www.scientific.net\/AMM.157-158.1264"},{"key":"IJCAC.2020070102-77","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"IJCAC.2020070102-78","unstructured":"Scharrenberg, P. (2008). Analyzing Fast-Flux Service Networks [Dissertation]. RWTH Aachen University, Germany."},{"key":"IJCAC.2020070102-79","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2001.916678"},{"key":"IJCAC.2020070102-80","doi-asserted-by":"publisher","DOI":"10.1109\/WCINS.2010.5541861"},{"key":"IJCAC.2020070102-81","doi-asserted-by":"publisher","DOI":"10.1109\/SERVICES.2013.42"},{"key":"IJCAC.2020070102-82","unstructured":"Soltanaghaei, E., & Kharrazi, M. (2015). Detection of fast-flux botnets through DNS traffic analysis. Scientia Iranica. Transaction D, Computer Science & Engineering, Electrical, 22(6), 2389-2400."},{"key":"IJCAC.2020070102-83","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2013.01.002"},{"key":"IJCAC.2020070102-84","unstructured":"SSAC. (2008). SAC 025: SSAC Advisory on Fast Flux Hosting and DNS."},{"key":"IJCAC.2020070102-85","doi-asserted-by":"publisher","DOI":"10.1109\/ISSA.2012.6320433"},{"key":"IJCAC.2020070102-86","unstructured":"Stevanovic, M., & Pedersen, J. M. (2013). Machine learning for identifying botnet network traffic. Aalborg University."},{"key":"IJCAC.2020070102-87","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"journal-title":"Detection of Botnet Fast-Flux Domains by the aid of spatial analysis methods","year":"2013","author":"F.Stornig","key":"IJCAC.2020070102-88"},{"key":"IJCAC.2020070102-89","first-page":"579S","article-title":"A prevention system for spam over Internet telephony.","volume":"6","author":"M.-Y.Su","year":"2012","journal-title":"Applications of Mathematics"},{"key":"IJCAC.2020070102-90","doi-asserted-by":"publisher","DOI":"10.1145\/1529282.1529734"},{"journal-title":"DNS Traffic Analysis for Network-based Malware Detection","year":"2012","author":"L.Vu Hong","key":"IJCAC.2020070102-91"},{"journal-title":"Evolving connectionist systems: Characterisation, simplification, formalisation, explanation and optimisation [PhD dissertation]","year":"2004","author":"M. J.Watts","key":"IJCAC.2020070102-92"},{"key":"IJCAC.2020070102-93","doi-asserted-by":"publisher","DOI":"10.1109\/ICT.2015.7124686"},{"key":"IJCAC.2020070102-94","unstructured":"Xu, W., Wang, X., & Xie, H. (2013). New Trends in FastFlux Networks. Paper presented at the16th BlackHat. Academic Press."},{"key":"IJCAC.2020070102-95","doi-asserted-by":"crossref","unstructured":"Yadav, S., Reddy, A. K. K., Reddy, A., & Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. Paper presented at the10th ACM SIGCOMM conference on Internet measurement. ACM Press.","DOI":"10.1145\/1879141.1879148"},{"key":"IJCAC.2020070102-96","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-08979-9_20"},{"key":"IJCAC.2020070102-97","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-9491-1_2"},{"key":"IJCAC.2020070102-98","doi-asserted-by":"publisher","DOI":"10.3923\/itj.2012.1048.1055"},{"key":"IJCAC.2020070102-99","doi-asserted-by":"crossref","unstructured":"Yukonhiatou, C., Kittitornkun, S., Kikuchi, H., Sisaat, K., Terada, M., & Ishii, H. (2014). Temporal behaviors of Top-10 malware download in 2010\u20132012. Paper presented at the 2014 International Electrical Engineering Congress (iEECON). Academic Press.","DOI":"10.1109\/iEECON.2014.6925944"},{"key":"IJCAC.2020070102-100","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2011.11"},{"key":"IJCAC.2020070102-101","doi-asserted-by":"crossref","unstructured":"Zhao, D., & Traore, I. (2012). P2P botnet detection through malicious fast flux network identification. Paper presented at the2012 Seventh International Conference onP2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC). Academic Press.","DOI":"10.1109\/3PGCIC.2012.48"},{"key":"IJCAC.2020070102-102","doi-asserted-by":"publisher","DOI":"10.2991\/icmmcce-15.2015.386"},{"key":"IJCAC.2020070102-103","doi-asserted-by":"publisher","DOI":"10.4304\/jnw.4.1.75-84"},{"key":"IJCAC.2020070102-104","doi-asserted-by":"crossref","unstructured":"Zhou, S. (2015). A Survey on Fast-flux Attacks. Information Security Journal: A Global Perspective, 24(4-6), 79-97.","DOI":"10.1080\/19393555.2015.1058994"},{"key":"IJCAC.2020070102-105","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194018400016"}],"container-title":["International Journal of Cloud Applications and Computing"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=256863","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,6]],"date-time":"2022-05-06T21:07:17Z","timestamp":1651871237000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/IJCAC.2020070102"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2020,7,1]]},"references-count":106,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,7]]}},"URL":"https:\/\/doi.org\/10.4018\/ijcac.2020070102","relation":{},"ISSN":["2156-1834","2156-1826"],"issn-type":[{"type":"print","value":"2156-1834"},{"type":"electronic","value":"2156-1826"}],"subject":[],"published":{"date-parts":[[2020,7,1]]}}}