DNS Intrusion Detection (DID) — A SNORT-based solution to detect DNS Amplification and DNS Tunneling attacks

Abstract

Domain Name System (DNS) plays a critical role in the Internet ecosystem, translating numerical IP addresses to memorable domain names and vice versa. The malicious user targets DNS by taking advantage of vulnerabilities in DNS. The most complex attacks in the DNS attacks vector include Distributed Denial of Service (DDoS) based DNS amplification attacks and sophisticated DNS tunneling attacks. An Intrusion Detection System (IDS) is a solution available to monitor the traffic for intrusion in the network but not exclusively for DNS intrusions. In this research paper, we present – DNS Intrusion Detection (DID), a system integrated into SNORT – a prominent open-source IDS, to detect major DNS-related attacks. We developed novel IDS signatures for various tools used in the tunneling, amplification, and DoS attacks and added them to the existing ruleset file of IDS to detect DNS-based intrusions. Our approach successfully identifies empirical DNS attacks carried out by various known tools available over the Internet. Evaluation of DID showed a high detection rate and a very low false-positive rate.