Anomaly-based Behavior

Analysis of DNS traffic

Hamid Alipour , Salim Hariri,

Youssif Al-Nashif

NSF Center for Cloud and

Autonomic Computing

The University of Arizona

nsfcac.arizona.edu

Cloud Computing

Domain Name System

DNS Message Format

Query

Response

Weak Authentication

•A: Address

•NS: Name Server

•SOA: Start Of Authority

•MX: Mail eXchange

•CNAME: Canonical NAME

•PTR: domain name PoinTeR

• …

Header

Query:

Response:

Query-Response Relation

– Same Port

– Same ID

– Same Question section

DNS Security Issues.The DNS (Domain Name System) is one of the core services inthe Internet that serves to many other internet services (Web,email, VOIP)

There are other services that use Domain Names as theirauthentication mechanism (e.g. Berkeley r-commands, VOIP) andthus can also be affect by DNS attacks.

We use still the system which was designed in 80th. Since in the80th, performance of the DNS protocol was very important,security issues were completely ignored. However, security wasnot a big deal in the 80th as it is today.

DNS threats are growing. Some important ones are DNS CachePoisoning, DNS amplification and … .

DNS Cache PoisoningStep1— Bad guy sends a DNS query

to the Victim NS.

Steps 2a,3,4,5,6,7— The normal

Iterative name resolution by the Victim

NS.

Step2b — Bad guy starts flooding the

victim with forged DNS reply packets. If

one of the flooded packets hits the QID

before original response(step 5). The

Victim NS Will cache it. (cache is

poisoned !!!!)

Root

ns1.target.com

www.target.com

Victim NS

.Com

Bad Guy

fake.target.com

2a

2b

4

6

3

5

7

1 ID:900, target.com?, Q(A)

ID:1000, Ask .com, R(NS)

ID:1001, Ask ns1.target.com, R(NS)

10.10.10.10

8 ID:900, 10.10.10.10, R(A)

Q(A)Q(A)R(NS) Q(NS) R(NS) Q(A)R(A)R(A)

Q(A)Q(A) R(NS) Q(NS) R(NS) Q(A)R(A)R(A)R(A)R(A)R(A)

ID:1000, target.com?, Q(A)

ID:1001, target.com?, Q(A)

ID:1002, target.com?, Q(A)

ID:1002, 20.20.20.1, R(A)

ID:2002, R(A)

ID:1002, R(A)

ID:4040, R(A)

Success!!!

Cache

Poisoned

Attacker should hit the ID

DNS Amplification

Step1— Signal the hired

BotNet

Step2— BotNets will

send the same query to a

recursive NS while

spoofing the Victim IP as

source IP.

Steps3,4,5,6,7,8— The

NS will resolve the

queried name.

Step9— the NS will

respond all the queries to

the Victim server.

DNS Security Solutions

Secure Protocol• DNSSEC

• 0x20-bit encoding

• WSEC

• DNSCurve

Intrusion Detection/Prevention System

DNS Behavior Analysis

DNS Behavior Anomaly Detection

Cache Poisoning Example

Anomaly Score Distribution

We used 7 days of normal traffic as well as 30 minutes of burst attack traffic to compute the anomaly score distribution for each traffic classWith anomaly threshold between 10 to 50 the normal and abnormal classes can be easily differentiated.

How much training is needed?

Because after 7 days the ratio of new n-grams in normal trafficis stable and low, we can expect a well trained model.

Detection and false positive

ROC curve comparing different n-grams

(Trained and tested on the same deployment site)

ROC curve for different n-grams

(Trained on DNS-CAC and tested on DARPA99)

Conclusion

DNS protocol shows a sequential behavior

Using 7-grams we could detect different DNS

attacks with high accuracy with less than 0.1%

false positive.

Trying to build a more comprehensive model

which can be deployed in different sites by just

one time training.