Statistical Study of Unusual DNS Query Traffic

Abstract

We statistically investigated on the unusual big DNS resolution tra±c toward the top domain DNS server from a university local campus network in April 11th, 2006. The following results are obtained: (1) In April 11th, the DNS query tra±c includes a lot of fully qualified domain names (FQDNs) of several specific web sites as name resolution keywords. (2) Also, the DNS query traffic includes a plenty of source IP addresses of PC clients. Also (3), the several DNS query keywords including speci¯c well-known web sites can be found in the DNS traffic. Therefore, it can be concluded that we can detect the unusual tra±c and bots worm activity (DDoS attacks and/or prescannings) by assuming a threshold based statistifical detection model and checking the several specific keywords of web sites in the DNS resolution traffic.