We statistically investigated the total A-resource record (RR) based DNS query request packet traffic from the campus network to the top domain DNS server in a university during January 1st to December 31st, 2014. The obtained results are: (1) we found significant query keyword based entropy changes in the total DNS query request traffic at February 5th, 2014. (2) In the total A-RR based DNS query request packet traffic, we observed 73-90% of unique query keywords including eleven source IP addresses (i.e. Kaminsky and/or Kaminsky-like attack). (3) Also, we found that the source IP addresses were assigned to the home/broadband routers in campus laboratories, as open DNS resolvers. (4) Also, we calculated frequency distribution of the Levenshtein distance between the DNS query keywords and the peaks that were observed at 10-15 per day. Therefore, we can conclude that the Levenshtein distance model is useful for developing a detection model of open DNS resolvers.
展开▼
