Detection of Host Name Harvesting Attack in PTR Resource Record Based DNS Query Packet Traffic

摘要

We statistically investigated the total inbound PTR resource record (RR) based DNS query request packet traffic to the top domain DNS server in a university campus network through January 1st to December 31st, 2009. The obtained results are: (1) We observed fourteen host name harvesting (HnH) attacks that we can observe rapid decreases in the unique source IP address based entropy of the inbound PTR RR based the DNS query packet traffic and significant increases in the unique DNS query keyword based one. (2) We found the consecutive and random IP addresses in the PTR RR based DNS query request packet traffic through the days of January 8th and 21st, 2009, respectively. Also (3), we calculated Euclidian distances between the observed IP address and the last observed IP address as the DNS query keywords and we detected two kinds of HnH attacks by a range of thresholds for 1.0-2.0 and 150.2-210.4. Therefore, these results show that we can detect more easily the inbound HnH attacks by calculating the Euclidian distances among the observed IP addresses in the inbound PTR RR based DNS query request packet traffic.