Characterizing Certain DNS DDoS Attacks
This research addresses cybersecurity threats for network administrators and security professionals by providing new insights into DNS DDoS attacks, though it is incremental as it builds on existing data science methods in a specific domain.
The paper tackles the problem of characterizing a specific type of DNS DDoS attack with little prior malware data, using statistical classifiers and unsupervised learning on passive DNS data to identify attacks and uncover previously unknown features, revealing that current attacks differ from published descriptions and involve a small number of global-scale systems.
This paper details data science research in the area of Cyber Threat Intelligence applied to a specific type of Distributed Denial of Service (DDoS) attack. We study a DDoS technique prevalent in the Domain Name System (DNS) for which little malware have been recovered. Using data from a globally distributed set of a passive collectors (pDNS), we create a statistical classifier to identify these attacks and then use unsupervised learning to investigate the attack events and the malware that generates them. The first known major study of this technique, we discovered that current attacks have little resemblance to published descriptions and identify several previously unpublished features of the attacks. Through a combination of text and time series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small.