Domain Name System (DNS) is a critical service for enterprise operations, and is often made openly accessible across firewalls. Malicious actors use this fact to attack organizational DNS servers, or use them as reflectors to attack other victims. Further, attackers can operate with little resources, can hide behind open recursive resolvers, and can amplify their attack volume manifold. The rising frequency and effectiveness of DNS-based DDoS attacks make this a growing concern for organizations. Solutions available today, such as firewalls and intrusion detection systems, use combinations of black-lists of malicious sources and thresholds on DNS traffic volumes to detect and defend against volumetric attacks, which are not robust to attack sources that morph their identity or adapt their rates to evade detection. We propose a method for detecting distributed DNS attacks that uses a hierarchical graph structure to track DNS traffic at three levels of host, subnet, and autonomous system (AS), combined with machine learning that identifies anomalous behaviors at various levels of the hierarchy. Our method can detect distributed attacks even with low rates and stealthy patterns. Our contributions are three-fold: (1) We analyze real DNS traffic over a week (nearly 400M packets) from the edges of two large enterprise networks to highlight various types of incoming DNS queries and the behavior of malicious entities generating query scans and floods; (2) We develop a hierarchical graph structure to monitor DNS activity, identify key attributes, and train/tune/evaluate anomaly detection models for various levels of the hierarchy, yielding more than 99% accuracy at each level; and (3) We apply our scheme to a month’s worth of DNS data from the two enterprises and compare the results against blacklists and firewall logs to demonstrate its ability in detecting distributed attacks that might be missed by legacy methods while maintaining a decent real-time performance.

中文翻译：

---

基于分层异常的企业网络上分布式DNS攻击检测

域名系统（DNS）是企业运营的关键服务，通常可以跨防火墙对其进行开放访问。恶意行为者利用这一事实来攻击组织的DNS服务器，或将其用作反射器来攻击其他受害者。此外，攻击者可以使用很少的资源进行操作，可以躲在开放的递归解析器后面，并且可以扩大攻击量。基于DNS的DDoS攻击的频率和有效性不断提高，这已成为组织日益关注的问题。当今可用的解决方案，例如防火墙和入侵检测系统，使用恶意源黑名单和DNS流量阈值的组合来检测和防御体积攻击，而对于攻击性攻击会破坏其身份或调整其速率，攻击力不强逃避侦查。我们提出了一种检测分布式DNS攻击的方法，该方法使用层次结构图结构在主机，子网和自治系统（AS）的三个级别上跟踪DNS流量，并结合识别层次结构各个级别上异常行为的机器学习。我们的方法甚至可以以低速率和隐秘模式检测分布式攻击。我们的贡献包括三个方面：（1）我们分析了两个大型企业网络边缘一周内的实际DNS流量（近400M数据包），以突出显示各种类型的传入DNS查询以及恶意实体的行为，这些实体生成查询扫描和泛洪; （2）我们开发了一种层次结构的图结构来监视DNS活动，识别关键属性以及训练/调整/评估层次结构各个级别的异常检测模型，每个级别的准确率均超过99％；（3）我们将我们的方案应用于两个企业一个月的DNS数据，并将结果与​​黑名单和防火墙日志进行比较，以证明其能够检测传统方法可能遗漏的分布式攻击，同时保持良好的实时性表现。