Major network events can be reflected on domain name system (DNS) traffic at the top level server on the DNS hierarchical structure. This paper pursues a novel approach to detect the DNS traffic anomaly of 5.19 events in China at CN top level domain server using covariance analysis. We normalize, expand and average the covariance changes for different length of time slice to enhance the robustn...

DNS Tunnels are built by proper tools that allow embedding data on DNS queries and responses. Each tool has its own strategies that affect the network performance in a unique way. In this paper, we propose an architectural analysis of the current state-of-the-art of DNS Tunneling tools. Then, we provide a comparative evaluation of such tools in term of performance, as a first step towards the p...

High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information passed network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of do...

1. PROBLEM & MOTIVATION Smartdevices are becoming the primary or only Internet point of access for an ever larger fraction of users. Nearly a quarter of current web traffic is mobile, and recent industry studies have estimated a fourfold increase in global mobile data traffic by 2018, mainly driven by data demands and the growing number of smart phones and tablets [7]. Content delivery networks...

To improve the resiliency of communication between bots and C&C servers, bot masters began utilizing Domain Generation Algorithms (DGA) in recent years. Many systems have been introduced to detect DGA-based botnets. However, they suffer from several limitations, such as requiring DNS traffic collected across many networks, the presence of multiple bots from the same botnet, and so forth. These ...

In this research, a visual analytics approach is used on a large set of DNS packet captures to gain insight into ways that authoritative name servers are abused for denial of service attacks. Several tools were developed to identify patterns in DNS queries and responses. These patterns revealed that source port selection by recursive name servers is not uniformly distributed and that attackers ...

Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack...

In this paper, we present a novel approach to exploit the relationships among domain names to improve the cache hit rate for a local DNS server. Using these relationships, an authoritative DNS server (ADNS) can piggyback resolutions for future queries as part of the response message for an initial query. The approach improves the cache hit rate as well as reducing the total queries and response...

Internet Service Providers (ISPs) increasingly try to grow their profit margins by employing “error traffic monetization,” the practice of redirecting customers whose DNS lookups fail to advertisement-oriented Web servers. A small industry of companies provides the associated machinery for ISPs to engage in this monetization, with the companies often participating in operating the service as we...

This paper compares local and wide-area traffic from end-hosts connected to different home and work networks. We base our analysis on network and application traces collected from 47 end-hosts for at least one week. We compare traffic patterns in terms of number of connections, bytes, duration, and applications. Not surprisingly, wide-area traffic dominates local traffic for most users. Local c...