8
Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities
Authors: Kazuya Takemori, Dennis Arturo Ludeña Romaña, Shinichiro Kubota, Kenichi Sugitani, Yasuo Musashi
Number of views: 310
We carried out an entropy study on the DNS query traffic from the Internet to the top domain DNS server
in a university campus network through January 1st to March 31st, 2009. The obtained results are: (1) We observed
a difference for the entropy changes among the total-, the A-, and the PTR resource records (RRs) based DNS query
traffic from the Internet through January 17th to February 1st, 2009. (2) We found the large NS RR based DNS
query traffic including only a keyword ”.” in the total inbound DNS query traffic. (3) We also found that the unique
source IP address based PTR DNS traffic entropy slightly increased, while the unique DNS query keywords based one
drastically decreased in March 9th, 2009. We found a specific IP host which was an already-hijacked classical Linux
PC that carried out the SSH dictionary attack to the Internet sites in March 9th, 2009. From these results,we can detect
the unusual inbound NS RR based DNS traffic and the outbound SSH dictionary attacks by only watching DNS query
traffic from the Internet.