Detection of Host Search Attacks in PTR Resource Record DNS Query Packet Traffic

概要

論文の詳細を見る
We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to July 31st, 2010. The obtained results are: (1) We found seventeen host search (HS) attacks in observation of rapid decrease in the unique source IP address based entropy of the DNS query packet traffic and significant increase in the unique DNS query keyword based one. (2) However, we found twenty HS attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address as the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (normal distribution). Therefore, it is reasonably concluded that the Euclidian distance based detection technology should be carried out with addition of the noise reduction filter in order to suppress the false positive.
2010-10-08