Detection of NS Resource Record Based DNS Query Request Packet Traffic and SSH Dictionary Attack Activity

We carried out an entropy study on the DNS query traffic from the Internet to the top domain DNS server in a university campus network through January 1st to March 31st, 2009. The obtained results are: (1) We observed a difference for the entropy changes among the total-, the A-, and the PTR resource records (RRs) based DNS query traffic from the Internet through January 17th to February 1st, 2009. (2) We found the large NS RR based DNS query traffic including only a keyword "." in the total DNS query traffic from the Internet. (3) We also found that the unique source IP address based PTR DNS traffic entropy slightly increased, while the unique DNS query keywords based one drastically decreased in March 9th, 2009. We found a specific IP host which was an already-hijacked classical Linux PC that carried out the SSH dictionary attack to the Internet sites in March 9th, 2009. From these results, we can detect the unusual NS RR based DNS traffic and SSH dictionary attacks by only watching DNS query traffic from the Internet.