Detection of Kaminsky DNS Cache Poisoning Attack

Author

Musashi, Yasuo ; Kumagai, Masaya ; Kubota, Shinichiro ; Sugitani, Kenichi

Author_Institution

Center for Multimedia & Inf. Technol., Kumamoto Univ., Kumamoto, Japan

fYear

2011

fDate

1-3 Nov. 2011

Firstpage

121

Lastpage

124

Abstract

We statistically investigated the total inbound standard DNS resolution traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2010. The following results are obtained: (1) We found five Kaminsky DNS Cache Poisoning (Kaminsky) attacks in observation of rapid decrease in the unique source IP address based entropy of the DNS query request packet traffic and significant increase in the unique DNS query keyword based one. (2) Also, we found nine Kaminsky attacks in the score changes for detection method using the calculated restricted Damerau-Levenshtein distance (restricted edit distance) between the observed current query keyword and the last one by employing both threshold ranges through 1 to 40. Therefore, it has a possibility that the restricted Damerau-Levenshtein distance based detection technology can detect the Kaminsky attacks.

Keywords

Internet; computer network security; DNS query keyword; DNS query request packet traffic; DNS resolution traffic; DNS server; Damerau-Levenshtein distance; IP address based entropy; Internet; Kaminsky DNS cache poisoning attack; domain name service; university campus network; Computer crime; Educational institutions; Entropy; Estimation; IP networks; Internet; Servers; DNS cache poisoning attack; Kaminsky attack detection; Phishing;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligent Networks and Intelligent Systems (ICINIS), 2011 4th International Conference on

Conference_Location

Kunming

Print_ISBN

978-1-4577-1626-3

Type

conf

DOI

10.1109/ICINIS.2011.18

Filename

6104708