There is a lot of cybercrime caused by Botnet over the years. The Botnet is a group of computers infected by bot virus. Victims are still running until they receiving the command from the hacker. For example, DDOS (Distributed denial of service attacks) and spamming. To avoid the track from information security administrator, the Botnet architecture and technology are continually updated and developed The purpose of Fast-Flux technology is to change IP addresses. It makes the way of blockade IP approach method failed. Some Botnets further equipped with the updated features domain generation algorithm (Domain Generation Algorithm, DGA) for rapidly changes of URLs in order to lead the URL blocking method more useless. In this research, we embed virus including of DGA function and proposed a method to deal with the attacks. We also analyze patterns of DGA behaviors from the connection data over network and therefore terminate the DGA behaviors. We also screened blacklist to the network equipment protection purposes. As a result, we conducted the experimental method, it can reliably detect patterns of the DGA behaviors and stop operations in order to achieve an early defense and protect the user's connection security.