Masaya Kumagai scite author profile

We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially, they have a function of SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query request packet traffic, and (3) the variance can change in a sharp manner through 07:30-08:30. From these results, it is clearly concluded that we can detect the inbound SSH dictionary attack to the network server by only observing the variance of the total PTR RR based DNS query request packet traffic from the network servers in the campus network. Keywords-DNS based Detection; SSH dictionary attack; SSH brute force attack

show abstract

Evaluation of DNS Based SSH Dictionary Attack Traffic in Campus Network

Kumagai¹,

Musashi²,

Romaña³

2010

IJIES

View full text Add to dashboard Cite

We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially those providing SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query request packet traffic, (3) the variance can change in a sharp manner through 07:30-08:30, (4) we developed a couple of DNS based SSH detection technologies by employing the PTR RR DNS query request packet traffic variance-and the DNS query keywords Euclid distance based methods, and (5) we evaluated and compared the both detection rates. As a result, although the both detection technologies take high detection rates, the Euclid distance based detection technology can take a low false positive rate than that of the variance based one, indicating that we can detect the inbound SSH dictionary attack to the network server in the campus network by observing the total PTR RR DNS query request packet traffic from the campus network.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Masaya Kumagai

Detection of Kaminsky DNS Cache Poisoning Attack

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

Evaluation of DNS Based SSH Dictionary Attack Traffic in Campus Network

Contact Info

Product

Resources

About