Various malware families use Domain Generating Algorithms (DGA) to randomly
generate a large number of domain names to avoid hard-coding IP addresses or domain
names
within the malware. The infected host then attempts to contact some of the generated
domain
names to communicate with its C&C servers.
DGA filters use pattern recognition and linguistic analysis to detect
algorithmically generated DNS requests from infected hosts. As part of the malware
filter
package, these filters protect your system against known malware families, in addition
to
suspicious domain names generated by unknown malware families.
 |
NoteTo effectively use DGA filters, your device must be deployed so that it is in the
flow of
DNS requests from your network. If your device is deployed between the DNS server
and the
Internet or other DNS servers, it could block normal DNS traffic. To avoid inadvertently
blocking normal DNS traffic, add filter exceptions for your DNS servers. In some networks,
a
DNS server or aggregator may be behind your device, which may result in the DNS server
or
aggregator appearing to be infected with malware when it is actually just forwarding
requests.
|