NIS04-2: Detection of DNS Anomalies using Flow Data Analysis

Karasaridis, Anestis; Meier-Hellstern, K.S.; Hoeflin, David A.

doi:10.1109/glocom.2006.280

Cited by 35 publications

(28 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is instead of the IP address of the queried domain because root nodes do not have complete information of every domain in the Internet. If it has data for the queried domain, the 1 Faculty of Engineering, Toyohashi University of Technology, Toyohashi, Aichi 441-8580, Japan 2 Internet Initiative Japan Inc., Iidabashi Grand Bloom, Chiyoda, Tokyo 102-0071, Japan 3 ComWorth Co., Ltd., Ota, Tokyo 143-0026, Japan a) takeuchi2015@ppl.cs.tut.ac.jp next-level server replies an IP address corresponding to the domain. Otherwise, the server introduces a 2nd next-level server as in the previous step.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detection of the DNS Water Torture Attack by Analyzing Features of the Subdomain Name

Takeuchi

Yoshida

Kobayashi

et al. 2016

Journal of Information Processing

View full text Add to dashboard Cite

Abstract:The Domain Name System (DNS), whose major function is to manage associations between domain names and IP addresses, plays a major role in managing the Internet. Thus, a DNS impairment would significantly impact society. A major cause of DNS impairment is Distributed Denial of Service (DDoS) attack on authoritative DNS servers. Our study focuses on the recently emerging DDoS attack known as the DNS Water Torture Attack. This attack causes open resolvers, which are improperly configured cache DNS servers that accept requests from both LAN and WAN, to send many queries to resolve domains managed by target servers. Domain names for resolving sent in this attack include varying random subdomains. Cache servers certainly will not have cached data for these queries, and so a huge volume of queries converges to the target authoritative servers via cache servers. In this paper, we propose a detection method for this attack using the Naive Bayes Classifier. Experimental results show that our method is capable of detecting this attack with a 95.59% detection rate. Moreover, the results of performance simulation show that our method is fast enough to process more than 2.3 Gbps of traffic on the fly.

show abstract

Section: Introductionmentioning

confidence: 99%

“…Karasaridis et al [3] introduced a method to detect DNS Cache Poisoning and DNS Tunneling. Unlike ordinary Intrusion Detection Systems, their method does not rely on known attack patterns called signatures.…”

Section: Introductionmentioning

confidence: 99%

Detection of the DNS Water Torture Attack by Analyzing Features of the Subdomain Name

Takeuchi

Yoshida

Kobayashi

et al. 2016

Journal of Information Processing

View full text Add to dashboard Cite

show abstract

“…The flow exporter aggregates packets with common properties into one flow until the flow is terminated. This termination can be caused by the expiration of flow cache entry (active time-out, idle time-out or resource constraints), natural expiration based on packet flags indicating connection end, emergency expiration or cache flush [7]. In networks with a large volume of traffic, it is necessary to have sufficiently large and free flow cache to avoid emergency expiration or cache flush, which may cause unwanted flow records split.…”

Section: Standard Flow Monitoringmentioning

confidence: 99%

“…Flow acquisition can be done by common network devices that support flow record export, such as routers, or by specialized network probes [7] which provides greater data accuracy and are able to effectively process a large volume of traffic. Figure 1 depicts a monitored network with the probes installed at the local network uplink and also inside the network.…”

Section: Standard Flow Monitoringmentioning

confidence: 99%

Detection of DNS Traffic Anomalies in Large Networks

Čermák

Čeleda

Vykopal

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.

show abstract

“…Anomaly based botnet detection, tries to detect bot activities based on several network behavior anomalies such as unexpected network latencies, network traffic on unusual and unused ports, high volumes of traffic for a midclass network or unusual system behaviors that could indicate the existence of malicious parties in the network (Feily et al, 2009). Karasaridis, Rexroad, & Hoeflin (2007) proposed an algorithm for detection and characterization of botnets using passive analysis. Their approach was based on flow data in transport layer.…”

Section: Anomaly Based Detection Techniquesmentioning

confidence: 99%