論文

査読有り
2018年

Detection and Blocking of Anomaly DNS Traffic by Analyzing Achieved NS Record History

2018 ASIA-PACIFIC SIGNAL AND INFORMATION PROCESSING ASSOCIATION ANNUAL SUMMIT AND CONFERENCE (APSIPA ASC)
  • Hikaru Ichise
  • ,
  • Yong Jin
  • ,
  • Katsuyoshi Iida
  • ,
  • Yoshiaki Takai

開始ページ
1586
終了ページ
1590
記述言語
英語
掲載種別
研究論文(国際会議プロシーディングス)
出版者・発行元
IEEE

DNS (Domain Name System)-based name resolution service is one of the most fundamental Internet services for the Internet users and application service providers. In normal DNS based domain name resolution, the corresponding NS records are required in prior to sending DNS query to the corresponding authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS packets. In particular, it is observed in some malware that DNS queries are sent to C&C servers using IP address directly without obtaining the corresponding NS records. In this paper, we propose a novel mechanism to detect and block anomaly DNS traffic by analyzing the achieved NS record history in an organization network. In the proposed mechanism, all DNS traffic of an organization netwok will be captured and analyzed in order to extract the legitimate NS (Name Server) records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS query packets will be checked and those destined to the IP addresses that not included in the white list will be blocked as anomaly DNS traffic. We have implemented a prototype system and evaluated the functionalities in an SDN-based experimental network. The results show that the prototype system works as expected and the proposed mechanism is capable of detecting and blocking some specific types of suspicious DNS traffic.


リンク情報
Web of Science
https://gateway.webofknowledge.com/gateway/Gateway.cgi?GWVersion=2&SrcAuth=JSTA_CEL&SrcApp=J_Gate_JST&DestLinkType=FullRecord&KeyUT=WOS:000468383400257&DestApp=WOS_CPL