University of Twente Student Theses
Detecting attacks involving DNS servers : a netflow data based approach
Roolvink, S. (2008) Detecting attacks involving DNS servers : a netflow data based approach.
![[img]](http://essay.utwente.nl/style/images/fileicons/application_pdf.png) |
PDF
4MB |
| Abstract: | The number of attacks on Internet services has been on the rise since the Internet became available to the general public. One of the services that has also been attacked using various ways is the Domain Name System (DNS) service. The DNS is one of the most important parts of the Internet. Without it, people would not be able to connect to favorite websites or check their e-mail. New attacks on services appear almost daily, like the DNS cache poisoning attack that was discovered by Dan Kaminsky. To defend against such attacks, a number of approaches have been researched and implemented, with varying success. In this thesis several steps were taken to gain insight into the DNS service and the attacks that plague them. Log files from two DNS servers was used to gain insight into the DNS traffic that client and the DNS servers generate. The different types of attacks that are possible were analysis and described. The detection of attacks is done by describing the characteristics of the attacks and deriving methods of detection. One of these methods, called the relative entropy method, was tested in an effort to validate the effectiveness of this method. The goal that will be presented in the thesis focuses on detecting attacks involving DNS servers, using high level flow data gathered at routers. From the research it could be concluded that the implementation of many DNS clients and the DNS server software BIND have implementation issues that need to be dealt with. The research has also shown that several different types of attacks exist that threaten the DNS service. From the research it could be concluded that certain attacks can be found using only Netflow data. The use of relative entropy method has shown that with more research can be used to detect certain attacks. |
| Item Type: | Essay (Master) |
| Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
| Subject: | 54 computer science |
| Programme: | Computer Science MSc (60300) |
| Link to this item: | https://purl.utwente.nl/essays/58497 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page