DNS Based Detection of SSH Dictionary Attack in Campus Network

We statistically investigated the DNS query access traffic from a university campus network toward the top domain DNS through March 14th, 2009, when the hosts in the campus network were under inbound SSH dictionary brute force attack. The interesting results are obtained, as follows: (1) the several hosts generated the DNS query packet traffic, taking a rate of more than 1,000 hour -1 , through 07:30-08:30 in March 14th, 2009, (2) the DNS query packet traffic correlates with the DNS query packet one including more than two specific query keywords (payloads of the packets), and (3) the former keyword is a fully qualified domain name (FQDN) and the latter one is an IP address. Therefore, we can detect inbound SSH dictionary attack by watching frequencies of the FQDNs and the IP addresses as query keywords in the DNS query packets from the hosts in the campus network.

[1]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[2]  Bill McCarty,et al.  Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[3]  J.L. Thames,et al.  A distributed active response architecture for preventing SSH dictionary attacks , 2008, IEEE SoutheastCon 2008.

[4]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[5]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[6]  Yasuo Musashi,et al.  DNS Based Detection of Spam Bots and Host Search Activity , 2008 .

[7]  Dawn Song,et al.  Malware Detection (Advances in Information Security) , 2006 .

[8]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.