FFDetect - Java Library to Detect Fast-Flux Domains

FFDetect is a Java library that allows one to determine whether a domain name is part of a fast-flux domain. The detection mechanism is based on a paper "Measuring and Detecting Fast-Flux Service Networks" by Holz et al. available at https://pi1.informatik.uni-mannheim.de/filepool/research/publications/fast-flux-ndss08.pdf..

It looks up a domain name twice after the initial TTL has passed and counts the number of unique IP addresses returned by the A records as well as the number of unique ASNs (based on the cymru service (see Team Cymru for details). If attributes are weighted and compared to a specific threshold to determine whether a domain name is part of a fast-flux domain.

Arbor Network's Atlas publishes a list of up-to-date fast flux domains, so one can cross check these domains against this library. Its available at http://atlas.arbor.net/summary/fastflux

FFDetect is written and distributed under the GNU General Public License. Note that some libraries are also under additional licenses; see the individual files for details.

Download

FFDetect-Release-1.0.zip
MD5: a049080c766fb89f10362e4cb0fa9ec7
FFDetect-Release-1.0-src.zip
MD5: 5811a1688ce4c7bcbe1c5ea97f45085f

Usage

FFDetect can be called from the cmd line as well as from within Java.

When launched from the command line, FFDetect will output the results to STD.out in CSV format. One can specify a domain name or a file that contains a list of domain names. Execute java -jar FFDetect .jar for details.

Also, FFDetect exposes two public static functions isFastFlux. See JavaDoc for details.

---