Entropy Based Analysis of DNS Query Traffic in the Campus Network
Dennis Arturo Ludeña Romaña, Yasuo Musashi
We carried out the entropy based study on the DNS
query traffic from the campus network in a university
through January 1st, 2006 to March 31st, 2007. The
results are summarized, as follows: (1) The source IP
addresses- and query keyword-based entropies change
symmetrically in the DNS query traffic from the
outside of the campus network when detecting the
spam bot activity on the campus network. On the other
hand (2), the source IP addresses- and query keywordbased
entropies change similarly each other when
detecting big DNS query traffic caused by prescanning
or distributed denial of service (DDoS) attack from the
campus network. Therefore, we can detect the spam
bot and/or DDoS attack bot by only watching DNS
query access traffic. Full Text
|