Dennis Arturo Ludeña Romaña

Trends in Host Search Attack in DNS Query Request Packet Traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2011. The obtained results are: (1) We found twelve host search (HS) attacks in the scores for detection method using the calculated Euclidean distances between the observed IP address and the last observed IP address in the DNS query keywords by employing both threshold ranges of 1.0-2.0 (consecutive) and 150.2-210.4 (random). However, we found nineteen HS attacks in the scores using the calculated cosine distance between the DNS query IP addresses (threshold ranges of 0.75-0.83 and 0.9-1.0). (3) In the newly found HS attacks, we observed that the source IP addresses of the HS attack DNS query packets are distributed. Therefore, it can be concluded that the cosine distance based detection technology has a possibility to detect the source IP address-distributed host search attack.

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially, they have a function of SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query request packet traffic, and (3) the variance can change in a sharp manner through 07:30-08:30. From these results, it is clearly concluded that we can detect the inbound SSH dictionary attack to the network server by only observing the variance of the total PTR RR based DNS query request packet traffic from the network servers in the campus network.

Detection of host search activity in PTR resource record based DNS query packet traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2009. The obtained results are: (1) We observed fourteen host search (HS) activities in which we can observe rapid decreases in the unique source IP address based entropy of the inbound PTR RR based the DNS query packet traffic and significant increases in the unique DNS query keyword based one. (2) We found the consecutive and random IP address based queries in the PTR RR based DNS query request packet traffic through the days of January 8th and 21st, 2009, respectively. Also (3), we calculated Euclidean distances between the observed IP address and the last observed IP address as the DNS query keywords and we detected two kinds of HS activities by employing both threshold ranges of 1.0–2.0 and 150.2–210.4, respectively. Therefore, these results show that we can detect the HS activity by calculating the Euclidean distances between the currently- and the last-observed IP addresses in the inbound PTR RR based DNS query request packet traffic.

Statistical study of unusual DNS query traffic

We statistically investigated on the unusual big DNS resolution traffic toward the top domain DNS server from a university local campus network in April 11th, 2006. The following results are obtained: (1) In April 11th, the DNS query traffic includes a lot of fully qualified domain names (FQDNs) of several specific Web sites as name resolution keywords. (2) Also, the DNS query traffic includes a plenty of source IP addresses of PC clients. Usually, we can observe the source IP addresses of E-mail and/or Web servers in the usual DNS query traffic, mainly. From this point, it can be concluded that the PC clients are probably infected with bot worms (BWs) and they have tried to crash the top domain DNS server.