Statistical Study of Unusual DNS Query Traffic
Article Sidebar
Main Article Content
Abstract
We statistically investigated on the unusual big DNS resolution tra±c toward the top domain DNS server from a university local campus network in April 11th, 2006. The following results are obtained: (1) In April 11th, the DNS query tra±c includes a lot of fully qualified domain names (FQDNs) of several specific web sites as name resolution keywords. (2) Also, the DNS query traffic includes a plenty of source IP addresses of PC clients. Also (3), the several DNS query keywords including speci¯c well-known web sites can be found in the DNS traffic. Therefore, it can be concluded that we can detect the unusual tra±c and bots worm activity (DDoS attacks and/or prescannings) by assuming a threshold based statistifical detection model and checking the several specific keywords of web sites in the DNS resolution traffic.
Article Details
This journal provides immediate open access to its content on the principle that making research freely available to the public supports a greater global exchange of knowledge.
- Creative Commons Copyright License
The journal allows readers to download and share all published articles as long as they properly cite such articles; however, they cannot change them or use them commercially. This is classified as CC BY-NC-ND for the creative commons license.
- Retention of Copyright and Publishing Rights
The journal allows the authors of the published articles to hold copyrights and publishing rights without restrictions.
References
[2] J. Nazario, Defense and Detection Strategies against Internet Worms I Edition; Computer Security Series, Artech House, 2004.
[3] (a) J. Kristoff, Botnets, detection and mitigation: DNS-based techniques, Northwestern University, 2005, http://www.it.northwestern.edu/bin/docs/bots_kristoff_jul05.ppt.
(b) J. Kristo®, Botnets, North American Network Operators Group (NANOG32), Reston, Virginia (2004), http://www.nanog.org/mtg-0410/kristoff.html.
[4] D. David, C. Zou, and W. Lee, "Model Botnet Propagation Using Time Zones," Proceedings of the Network and Distributed System Security (NDSS) Symposium, 2006,
http://www.isoc.org/isoc/conferences/ndss/06/proceedings/html/2006/.
[5] A. Schonewille and D. -J. v. Helmond, The Domain Name Service as an IDS. How DNS can be used for detecting and monitoring badware in a network, 2006, http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf.
[6] B. McCarty, "Botnets: Big and Bigger," IEEE Security and Privacy, No. 1, pp.87-90, 2003.
[7] (a) Y. Musashi, R.Matsuba, and K. Sugitani, "Detection, Prevention, and Managements of Security Incidents in a DNS Server", Proceedings of the 4th International Conference on Emerging
e-learning Technologies and Applications (ICETA2005), Ko·sice, Slovakia, pp.207-211, 2005. (b) Y. Musashi, R. Matsuba, and K. Sugitani, "Indirect Detection of Mass MailingWorm Infected PC terminals for Learners", Proceedings for the 3rd International Conference on Emerging Telecommunications Technologies and Applications (ICETA2004), Ko·sice, Slovakia, pp.233-237, 2004.
[8] (a) Y. Musashi, R. Matsuba, and K. Sugitani, "Prevention of A-record based DNS Query Packets Distributed Denial of Service Attack by Protocol Anomaly Detection", IPSJ SIG Technical Reports, Distributed System and Management 38th (DSM38), Vol. 2005, No.83, pp.23-28, 2005.(b) R. Matsuba, Y. Musashi, and K. Sugitani, "Detection of Mass Mailing Worm-infected IP address by Analysis of Syslog for DNS server", IPSJ SIG Technical Reports, Distributed System and Management 32nd (DSM32), Vol. 2004, No.37, pp.67-72, 2004.
[9] D.Whyte, P. C. van Ororschot, and E. Kranakis, "Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network", Carleton University, School of Computer Science, Technical Report TR-05-06, May, 2005,http://www.scs.carleton.ca/research/tech_reports/2005/down-load/TR-05-06.pdf.
[10] K. Ishibashi, T. Toyono, K. Toyoma, M. Ishino, H. Ohshima, and I. Mizukoshi, "Detecting Mass Mailing Worm infected Hosts by Mining DNS Traffic Data", Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, Philadelphia, Pennsylvania, USA, pp.159-164, 2005.
[11] Y. Musashi, S. Hayashida, R. Matsuba, K. Sugitani, and K. Rannenberg, "Detection and Prevention-System of DNS query-based Distributed Denial-of-Service Attack", Proceedings for the 8th Asia-Pacific Network Operations and Management Symposium Toward Managed Ubiquitous Information Society (APNOMS2005), Okinawa, Japan, pp.574-585, 2005.
[12] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?-VName=WORM_NETSKY.Q
[13] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?-VName=WORM_MYDOOM.A
[14] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?-VName=WORM_MYTOB.A
[15] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?-VName=WORM_ZOTOB.A
[16] BIND-9.2.6: http://www.isc.org/products/BIND/
[17] A. Wagner and B. Plattner, "Entropy Based Worm and Anomaly Detection in Fast IP Networks," Proceedings of 14th IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2006), LikÄoping, Sweden, pp.172-177, 2005.