Using EBPF to identify ransomware that use DGA DNS queries




eBPF, DGA, DNS, malware, IDS, monitoring, kernel, cybersecurity


In today's world, where the Internet has become an integral part of the functioning of government and corporate institutions, the integrity and availability of information is becoming a key issue for many organizations and individual users. The issue of protection against crypto viruses and attacks, in particular, using DGA (Domain Generation Algorithms), a method used by attackers to automatically generate domain names for client-server (Command & Control) communication in the DNS-based virus ecosystem, is particularly relevant, making it difficult to detect and block them due to the way DNS is used in modern computer networks. Given the growing number of attacks that use DGA, there is a need to develop new methods that are faster and can analyze large traffic flows in real time and provide functionality for detecting and blocking them. eBPF (Extended Berkeley Packet Filter) is a modern tool that allows you to create small programs to monitor and analyze various aspects of the system in real time, including network traffic. These programs are executed directly in the operating system kernel and/or at the network card level. In this study, we consider the possibility of using eBPF to detect DGA activity in DNS traffic. The goal is to determine the effectiveness of real-time ransomware detection. We developed a ransomware analysis lab environment where we developed eBPF-based modules, tested them, and simulated an attack. In addition, a cloud-based data analysis environment based on Splunk was set up and rules for detecting a DGA attack were developed based on this analysis. This article presents the results of developing an eBPF-based program for analyzing DNS traffic, conducting DGA attacks, and methods for detecting them. These results can be an important contribution to the development of strategies to protect against malicious attacks in the network.

Author Biographies

Danyil Zhuravchak, Lviv Polytechnic National University, Lviv

postgraduate student, teaching assistant, department of information security

Eduard Kiiko, Lviv Polytechnic National University, Lviv


Valeriy Dudykevych, Lviv Polytechnic National University, Lviv

doctor of engineering, professor, head of the department of information security


A. Bozhko, and O. Baranovsky, “Methods of detecting DGA in DNS requests”, in Proc. XIX All-Ukr. scien. and pract. conf. stud., grad. stud. and jun. scient. Theoretical and applied problems of physics, mathematics and computer science, Kyiv, 2021, pp. 309-311. [Online]. Available: Accessed: Aug. 11, 2023.

A. Bozhko, “Detection of malware command centers using DNS traffic analysis”, bach. thesis, NTUU, Kyiv, 2021. [Online]. Available: Accessed: Aug. 11, 2023.

K. Bobrovnikova, “Information technology for botnet detection in corporate networks based on DNS traffic analysis”, PhD. thesis, TNTU, Ternopil, 2017. [Online]. Available: Accessed: Aug. 11, 2023.

N. Mischenko, “Information Technology for recognizing Domain Generation Algorithm traffic based on Deep Machine Learning”, M.S. thesis, SSU, Sumy, 2021. [Online]. Available: Accessed: Aug. 15, 2023.

D. Zinkovsky, “Development of Software for traffic filtering and tracing using BPF technology in Linux”, bach. thesis, DNTU, Dnipro, 2021. Accessed: Aug. 14, 2023. [Online]. Available: Accessed: Aug. 14, 2023.

D. Boiko, and Y. Davydenko, “Tools for processing and analyzing network packets in Linux OS”, in Proc. XVII Intl. scient. conf. Olevs’kyi Forum – 2023: Strategies of Black Sea Region Countries in Geopolitical Space, Mykolaiv, 2023.

D. Boiko, “Traffic monitoring application and DDoS attack detection using eBPF”, bach. thesis, BSNU, Mykolaiv, 2023. [Online]. Available: Accessed: Aug. 16, 2023.

S. Tesliuk, “Monitoring network traffic and detecting attacks using eBPF”, bach. thesis, UCU, Lviv, 2021. [Online]. Available: Accessed on: Sep. 16, 2023.

оghie/ [Online]. Available: Accessed on: Sep. 19, 2023.

eduard-daily/eBPF-dns-monitor. [Online]. Available: Accessed on: Sep. 28, 2023.

linux/net/ipv4/udp.c. [Online]. Available: Accessed on: Sep. 28, 2023.

linux/net/ipv4/tсp.c. [Online]. Available: Accessed on: Sep. 28, 2023.

H. Nurkholish, “A Deep Dive into eBPF: Writing an Efficient DNS Monitoring”. [Online]. Available: Accessed on: Sep. 12, 2023.

baderj/domain_generation_algorithms/bazarbackdoor/. Online]. Available: Accessed on: Sep. 28, 2023.



How to Cite

Zhuravchak, D., Kiiko, E., & Dudykevych, V. (2023). Using EBPF to identify ransomware that use DGA DNS queries. Collection "Information Technology and Security", 11(2), 166–174.