• Journal of Digital Convergence
• /
• v.13 no.10
• /
• pp.279-285
• /
• 2015

In this paper, we present the design and implementation of a realtime DNS Query Analysis System to detect and to protect from DNS attacks. The proposed system uses mirroring to collect data in DMZ, then analizes the collected data. As a result of the analysis, if the proposed system finds attack information, the information is used as a filtering information of firewall. statistic of the collected data is viewed as a realtime monitoring information on the web. To verify the effictiveness of the proposed system, we have built the proposed system and conducted some experiments. As the result, Our proposed system can be used effectively to defend DNS spoofing, DNS flooding attack, DNS amplification attack, can prevent interior network's attackers from attacking and provides realtime DNS query statistic information and geographic information for monitoring DNS query using GeoIP API and Google API. It can be useful information for ICT convergence and the future work.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.303-311
• /
• 2015

DNS amplification is a new type of DDoS Attack and nowadays the attack occurs frequently. The previous studies showed the several detection ways such as the traffic analysis based on DNS queries and packet size. However, those methods have some limitations such as the uncertainty of packet size which depends on IP address type and vulnerabilities against distributed amplification attack. Therefore, we proposed a novel traffic analyzing algorithm using Success Rate and implemented the query analyzing system.

• KIPS Transactions on Computer and Communication Systems
• /
• v.1 no.1
• /
• pp.55-60
• /
• 2012

Recent botnets are widely using the DNS services at the connection of C&C server in order to evade botnet's detection. It is necessary to study on DNS analysis in order to counteract anomaly-based technique using the DNS. This paper studies collection of DNS traffic for experimental data and supervised learning for DNS traffic-based malicious domain classification such as query of domain name corresponding to C&C server from zombies. Especially, this paper would aim to determine significant features of DNS-based classification system for malicious domain extraction by the Principal Component Analysis(PCA).

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.32 no.2B
• /
• pp.108-117
• /
• 2007

Recursive DNS is configured as primary or secondary DNS on user PC and performs domain name resolution corresponding user's DNS query. At present, the amount of DNS traffic is occupied high rate in the total internet traffic and the internet traffic would be increased by failure of IPv6 DNS queries and responses as IPv6 transition environment. Also, existing Recursive DNS service mechanisms is unstable on malicious user's attack same as DoS/DDoS Attack and isn't provide to user trust DNS service fail-over. In this paper, we propose IPv6 Recursive DNS service mechanisms for based on anycast for improving stability. It is that fail-over Recursive DNS is configured IPv6 Anycast address for primary Recursive DNS's foil-over. this mechanisms increases reliability and resiliency to DoS/DDoS attacks and reduces query latency and helps minimize DNS traffic as inducing IPv6 address.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.8 no.12
• /
• pp.1849-1856
• /
• 2013

DOS attack, the short of Denial of Service attack is an internet intrusion technique which harasses service availability of legitimate users. To respond the DDoS attack, a lot of methods focusing attack source, target and intermediate network, have been proposed, but there have not been a clear solution. In this paper, we purpose the prevention of malicious activity and early detection of DDoS attack by detecting and removing the activity of botnets, or other malicious codes. For the purpose, the proposed method monitors the network traffic, especially DSN traffic, which is originated from botnets or malicious codes.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.4
• /
• pp.895-909
• /
• 2013

Distributed Denial-of-Service (DDoS) attacks towards name servers of the Domain Name System (DNS) have threaten to disrupt this critical service. This paper studies the vulnerability of the cache server to the flooding DNS query traffic. As the resolution service provided by cache server, the incoming DNS requests, even the massive attacking traffic, are maintained in the waiting queue. The sojourn of requests lasts until the corresponding responses are returned from the authoritative server or time out. The victim cache server is thus overloaded by the pounding traffic and thereafter goes down. The impact of such attacks is analyzed via the model of queuing process in both cache server and authoritative server. Some specific limits hold for this practical dual queuing process, such as the limited sojourn time in the queue of cache server and the independence of the two queuing processes. The analytical results are presented to evaluate the impact of DDoS attacks on cache server. Finally, numerical results are provided for further analysis.

• ETRI Journal
• /
• v.43 no.1
• /
• pp.40-52
• /
• 2021

DNS (Domain Name System) tunnels almost obscure the true network activities of users, which makes it challenging for the gateway or censorship equipment to identify malicious or unpermitted network behaviors. An efficient way to address this problem is to conduct a temporal-spatial analysis on the tunnel traffic. Nevertheless, current studies on this topic limit the DNS tunnel to those with a single protocol, whereas more than one protocol may be used simultaneously. In this paper, we concentrate on the refined identification of two protocols mixed in a DNS tunnel. A feature set is first derived from DNS query and response flows, which is incorporated with deep neural networks to construct a regression model. We benchmark the proposed method with captured DNS tunnel traffic, the experimental results show that the proposed scheme can achieve identification accuracy of more than 90%. To the best of our knowledge, the proposed scheme is the first to estimate the ratios of two mixed protocols in DNS tunnels.

• Proceedings of the Korean Information Science Society Conference
• /
• 1998.10a
• /
• pp.612-614
• /
• 1998

DNS는 인터넷상에서 도메인 네임과 IP 주소간의 상호 전환의 동작을 수행하는 시스템이다. DNS상에서 도메인 네임이나 IP 주소를 요청하는 질의나 이에 대한 응답은 네트워크상에서 UDP를 사용한 메시지 형식으로 전송한다. 이때 제 3자의 개입에 의한 조작의 가능성이 있다. 이러한 질의와 응답 메시지의 조작을 방지하고자 RFS2065에서는 RSA 공개키 방식을 사용하였다. RSA 공개키 방식은 현제 국내에서 직접사용하기에는 많은 애로 사항이 있으며 속도 측면에서 좋지 않은 면을 보여준다. 본 논문에서는 Pseudonoise Sequence와 MD5를 사용하여 DNS 상에서의 안전한 질의 응답을 가능하게 하고자 한다. Pseudonoise Sequence와 MD5를 사용함으로써 메시지를 암오화하지않아도 되며 또한 많은 계산을 요구하지 않는다. 메시지에 Pseudonoise Sequence를 기입하고, 그 메시지의 MD5를 송수신 측에서 검사함으로써 제 3자 개입에 의한 조작 방지와 메시지 데이터의 무결성을 보할 수 있다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.3
• /
• pp.591-603
• /
• 2018

Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.

• The KIPS Transactions:PartC
• /
• v.9C no.1
• /
• pp.115-122
• /
• 2002

This paper presents a new web cluster scheme based on dispatcher which does not depend on operating system for server and can examine server's status interactively. Two principal functions are proposed for new web cluster technique. The one is self-controlled load distribution and the other is transaction fail-safe. Self-controlled load distribution function checks response time and status of servers periodically, then it decides where the traffic goes to guarantee rapid response for every query. Transaction fail-safe function can recover lost queries including broken transaction immediately from server errors. Proposed new web cluster scheme is implemented by C language on Unix operating system and compared with legacy web cluster products. On the comparison with broadcast based web cluster, proposed new web cluster results higher performance as more traffic comes. And on the comparison with a round-robin DNS based web cluster, it results similar performance at the case of traffic processing. But when the situation of one server crashed, proposed web cluster processed traffics more reliably without lost queries. So, new web cluster scheme Proposed on this dissertation can give alternative plan about highly increasing traffics and server load due to heavy traffics to build more reliable and utilized services.