Domain Generation Algorithm (DGA)
What is Domain Generation Algorithm (DGA)?
Domain Generation Algorithm (DGA)An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server.
A Domain Generation Algorithm is code embedded in malware that produces hundreds or thousands of pseudo-random domain names per day, seeded by the date or another shared value. Infected hosts try the day's domains in sequence; the attacker only needs to register a few of them to rendezvous with the botnet. DGAs defeat static blocklists because defenders cannot enumerate every possible C2 domain in advance. Conficker famously generated 50,000 domains a day, and Necurs, Murofet, and Mirai variants have used the technique. Defences include DGA classifiers on DNS logs, passive DNS lookups, sinkholing newly observed algorithm-generated names, and EDR detection of bursty NXDOMAIN traffic.
● Examples
- 01
Conficker.C generated 50,000 candidate domains daily across multiple TLDs.
- 02
Necurs and Murofet used date-seeded DGAs to rendezvous with their C2 channels.
● Frequently asked questions
What is Domain Generation Algorithm (DGA)?
An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server. It belongs to the Attacks & Threats category of cybersecurity.
What does Domain Generation Algorithm (DGA) mean?
An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server.
How does Domain Generation Algorithm (DGA) work?
A Domain Generation Algorithm is code embedded in malware that produces hundreds or thousands of pseudo-random domain names per day, seeded by the date or another shared value. Infected hosts try the day's domains in sequence; the attacker only needs to register a few of them to rendezvous with the botnet. DGAs defeat static blocklists because defenders cannot enumerate every possible C2 domain in advance. Conficker famously generated 50,000 domains a day, and Necurs, Murofet, and Mirai variants have used the technique. Defences include DGA classifiers on DNS logs, passive DNS lookups, sinkholing newly observed algorithm-generated names, and EDR detection of bursty NXDOMAIN traffic.
How do you defend against Domain Generation Algorithm (DGA)?
Defences for Domain Generation Algorithm (DGA) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Domain Generation Algorithm (DGA)?
Common alternative names include: DGA, Algorithmic C2 domains.
● Related terms
- malware№ 201
Command and Control (C2)
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
- malware№ 119
Botnet
A network of internet-connected devices infected with malware and remotely controlled by an attacker to perform coordinated activities.
- attacks№ 407
Fast Flux
A botnet DNS technique that rapidly rotates the IP addresses behind a malicious domain across many compromised hosts to resist takedown and blocking.
- attacks№ 350
Domain Shadowing
An attack in which a criminal compromises a legitimate domain owner's registrar account and silently creates malicious subdomains beneath the trusted parent domain.
- forensics-ir№ 650
Malware Analysis
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
● See also
- № 792Passive DNS