Protecting the DNS Infrastructure of a Top Level Domain: Dynamic Firewalling with Network Sensors

The security problems that plague network services today are increasing at a dramatic pace especially with the constant improvement of network transmission rates and the sheer amount of data exchanged. This translates to not only more attacks but also new types of attacks with network incidents becoming more and more frequent. A substantial part of the attacks occur at Top Level Domains (TLD) who have the mission of guaranteeing the correct functioning of Domain Name System (DNS) zones. This paper presents a proposal to simplify the detection of attacks, and reduce the number of false reports (negative and positive). Our goal is to create a group of techniques for real time monitoring of network traffic, based on network sensors that allow, in real time, to detect abnormal network behaviour and produce meaningful data that can be used to trigger alarms and anticipate future problems, adding and removing rules at DNS firewalls. This sensors, are working together with the primary DNS servers of the .PT domain, currently monitor all traffic that crosses this service. The data correlation between the sensor and other sources (such as IDS, other sensors or agents), between two different dates, can then be used for statistical purposes and to prevent future possible attacks.