7
Evaluation of DNS Based SSH Dictionary Attack Traffic in Campus Network
Authors: Masaya Kumagai, Yasuo Musashi, Dennis Arturo Ludena Romana
Number of views: 427
We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic
from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers
in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows:
(1) the network servers, especially those providing SSH services, generated the significant PTR RR based DNS query
request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query
request packet traffic, (3) the variance can change in a sharp manner through 07:30-08:30, (4) we developed a couple
of DNS based SSH detection technologies by employing the PTR RR DNS query request packet traffic variance- and
the DNS query keywords Euclid distance based methods, and (5) we evaluated and compared the both detection rates.
As a result, although the both detection technologies take high detection rates, the Euclid distance based detection
technology can take a low false positive rate than that of the variance based one, indicating that we can detect the
inbound SSH dictionary attack to the network server in the campus network by observing the total PTR RR DNS
query request packet traffic from the campus network.