In this paper, we propose an approach for detecting internal and external network scanning attacks on enterprise networks. In our approach, an inline scan detection system (SDS) monitors the ingress and egress flows of an enterprise network subnet and detects scanning probes based on the correlation of flows with preceding DNS query/responses and reducing TTL values of DNS Resource Records (RR). Through rigorous evaluation, we show that our method is effective against both external and internal port scanners and network worms, its effectiveness is independent of scanning rate or technique, and its deployment incurs negligible overhead on DNS and network response times. While the idea of detecting scans by correlating network flows with preceding DNS query/responses has been proposed in the literature, this work extends the state-of-the-art by offering four contributions: 1) we show that without decreasing TTL values of RRs in DNS responses, attackers can piggyback on cached DNS records to bypass our detection; thus we incorporate a TTL reduction mechanism to enhance the effectiveness of this approach, especially against stealthy and adaptive scanners; 2) while prior works work against internal scanners, we use the relatively new extension of DNS protocol, ENDS0 Client Subnet (ECS) option, to expand this approach toward detecting external scanners; 3) we present a novel adaptive scanning technique, called DNS-cache-based scanning, that exploits local DNS cache to bypass prior detection methods, and shows that, while prior approaches fail to defeat this threat model, our approach is effective against this evolved threat model as well; and 4) contrary to existing work that focuses on defeating fast network scanning worms, this approach is effective against any scanning, including stealthy scanning that uses conservative timing profiles to evade detection.
Read full abstract