Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities
نویسندگان
چکیده
We carried out an entropy study on the DNS query traffic from the Internet to the top domain DNS server in a university campus network through January 1st to March 31st, 2009. The obtained results are: (1) We observed a difference for the entropy changes among the total-, the A-, and the PTR resource records (RRs) based DNS query traffic from the Internet through January 17th to February 1st, 2009. (2) We found the large NS RR based DNS query traffic including only a keyword ”.” in the total inbound DNS query traffic. (3) We also found that the unique source IP address based PTR DNS traffic entropy slightly increased, while the unique DNS query keywords based one drastically decreased in March 9th, 2009. We found a specific IP host which was an already-hijacked classical Linux PC that carried out the SSH dictionary attack to the Internet sites in March 9th, 2009. From these results,we can detect the unusual inbound NS RR based DNS traffic and the outbound SSH dictionary attacks by only watching DNS query traffic from the Internet.
منابع مشابه
Evaluation of DNS Based SSH Dictionary Attack Traffic in Campus Network
We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially those providing SSH services, g...
متن کاملDNS Based Detection of SSH Dictionary Attack in Campus Network
We statistically investigated the DNS query access traffic from a university campus network toward the top domain DNS (tDNS) through March 14th, 2009, when the hosts in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the several hosts generated the DNS query packet traffic, taking a rate of more than 1,000 hour−1, through 07:30-...
متن کاملValidation of the Network-based Dictionary Attack Detection
This paper presents a study of successful dictionary attacks against a SSH server and their network-based detection. On the basis of experience in the protection of university network we developed a detection algorithm based on a generic SSH authentication pattern. Thanks to the network-based approach, the detection algorithm is host independent and highly scalable. We deployed a high-interacti...
متن کاملPreventing DNS Amplification Attacks Using the History of DNS Queries with SDN
Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack...
متن کاملDetecting Globally Malicious Events with Local Records: A Case Study
On or about August 25 2013, the name servers supporting the country code Top Level Domain (ccTLD) “.cn” were attacked and brought offline[2, 6–8, 11]. As local DNS caches expired, this attack eventually affected the internet traffic of most users attempting to reach Chinese websites because the authoritative DNS servers for those sites ceased working. While the attack itself was widely reported...
متن کامل