Detection of SSH Dictionary Attack in DNS Reverse Resolution Traffic

概要

論文の詳細を見る
We developed and evaluated Euclidian distance based detection method for SSH dictionary attacks in the total PTR resource record (RR) based DNS query request packet traffic from the campus network to the DNS cache server in a university through January 1st to December 31st, 2009. The obtained results are: (1) The network servers, especially, they have a function of SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009. (2) We found eleven SSH dictionary attacks in the score changes for the detection method using the calculated Euclidian distance between the observed query IP address and the last one by employing a distance value of zero and the obtained signature data at March 14th, 2009. Also (3), we found twenty-seven SSH dictionary attacks in the score changes for the detection method employing daily generated signature data. Therefore, it can be concluded that the Euclidian distance based detection method can be useful for detecting the SSH dictionary attacks in the campus network.
2011-07-08