Classifying DNS Servers based on Response Message Matrix using Machine Learning
This addresses the issue of DNS-based attacks for network security, but it is incremental as it builds on existing monitoring and ML approaches.
The paper tackles the problem of detecting DNS servers used as packet reflectors in DoS/DDoS attacks by proposing a detection mechanism using a DNS server feature matrix and machine learning, achieving an F1 score of over 0.9 for same-day data and over 0.7 for cross-day data.
Improperly configured domain name system (DNS) servers are sometimes used as packet reflectors as part of a DoS or DDoS attack. Detecting packets created as a result of this activity is logically possible by monitoring the DNS request and response traffic. Any response that does not have a corresponding request can be considered a reflected message; checking and tracking every DNS packet, however, is a non-trivial operation. In this paper, we propose a detection mechanism for DNS servers used as reflectors by using a DNS server feature matrix built from a small number of packets and a machine learning algorithm. The F1 score of bad DNS server detection was more than 0.9 when the test and training data are generated within the same day, and more than 0.7 for the data not used for the training and testing phase of the same day.