Tracking Anomalous Behaviors of Name Servers by Mining DNS Traffic

  • Yao Wang
  • Ming-zeng Hu
  • Bin Li
  • Bo-ru Yan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4331)


This paper seeks to quantitatively understand the nature of the current threat towards the common name servers. A new tracking technique based on statistical model is proposed to locate the anomalous name servers by analyzing the real-world DNS traffic. After summarizing the attacks towards DNS, the detection method based on associative feature analysis is presented. Experiments are conducted which highlighting both the payload anomaly and the data flow anomaly, and the experimental results reveal the efficiency of our method in detecting the anomalous behaviors of name servers.


Anomalous Behavior Internet Service Provider Domain Name System Query Type Configuration Error 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Mockapetris, P.V.: Domain Names: Concepts and Facilities. RFC 1034 (1987)Google Scholar
  2. 2.
    Mockapetris, P.V.: Domain Names: Implementation and Specification. RFC 1035 (1987)Google Scholar
  3. 3.
    Pappas, V., Xu, Z.G., Lu, S., Massey, D., Terzis, A., Zhang, L.X.: Impact of Configuration Errors on DNS Robustness. In: SIGCOMM 2004: Proceedings of the 2004 conference on Ap-plications, technologies, architectures, and protocols for computer communications, pp. 319–330. ACM Press, New York (2004)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Danzig, P.B., Obraczka, K., Kumar, A.: An Analysis of Wide-area Name Server Traffic: A Study of the Domain Name System. In: Proceeding of ACM SIGCOMM, pp. 281–292 (1992)Google Scholar
  6. 6.
    Brownlee, N., Claffy, K., Nemeth, E.: DNS Measurements at a Root Server. In: IEEE Global Telecommunications Conference, San Antonio, TX, pp. 1672–1676 (2001)Google Scholar
  7. 7.
    Jung, J., Sit, E., Balakrishnan, H., Morris, R.: DNS Performance and the Effectiveness of Caching. In: Proceedings of the First ACM SIGCOMM IMW, pp. 153–167. ACM Press, New York (2001)CrossRefGoogle Scholar
  8. 8.
    CAIDA. Nameserver DoS Attack (October 2002) (2004)
  9. 9.
    Ram, S., William, R.W.: A Statistical Technique for Computer Identification of Outliers in Multivariate Data,
  10. 10.
    Zhang, H.L., Fang, B.X., Hu, M.Z.: A survey on Internet measurement and analysis. Journal of Software 14(1), 110–116 (2003)MATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yao Wang
    • 1
  • Ming-zeng Hu
    • 1
  • Bin Li
    • 1
  • Bo-ru Yan
    • 1
  1. 1.Research Center of Computer Network and Information Security TechnologyHarbin Institute of Technology, HarbinHeilongjiangChina

Personalised recommendations