Next Article in Journal
Virtual Control Policy for Binary Ordered Resources Petri Net Class
Next Article in Special Issue
Automatic Authorship Detection Using Textual Patterns Extracted from Integrated Syntactic Graphs
Previous Article in Journal
Estimation of Soil Moisture from Optical and Thermal Remote Sensing: A Review
Previous Article in Special Issue
A Linked List-Based Algorithm for Blob Detection on Embedded Vision-Based Sensors
Article Menu

Export Article

Open AccessArticle
Sensors 2016, 16(8), 1311; doi:10.3390/s16081311

Mining IP to Domain Name Interactions to Detect DNS Flood Attacks on Recursive DNS Servers

Escuela de Ingeniería y Ciencias, Tecnologico de Monterrey, Carretera al Lago de Guadalupe Km. 3.5, Atizapán, Estado de México 52926, Mexico
Department of Informatics, Technical University of Munich, Boltzmannstr. 3, 85748 Garching, Germany
Author to whom correspondence should be addressed.
Academic Editors: Ma. Lourdes Martínez-Villaseñor and Hiram Ponce
Received: 1 June 2016 / Revised: 9 August 2016 / Accepted: 13 August 2016 / Published: 17 August 2016
View Full-Text   |   Download PDF [1077 KB, uploaded 17 August 2016]   |  


The Domain Name System (DNS) is a critical infrastructure of any network, and, not surprisingly a common target of cybercrime. There are numerous works that analyse higher level DNS traffic to detect anomalies in the DNS or any other network service. By contrast, few efforts have been made to study and protect the recursive DNS level. In this paper, we introduce a novel abstraction of the recursive DNS traffic to detect a flooding attack, a kind of Distributed Denial of Service (DDoS). The crux of our abstraction lies on a simple observation: Recursive DNS queries, from IP addresses to domain names, form social groups; hence, a DDoS attack should result in drastic changes on DNS social structure. We have built an anomaly-based detection mechanism, which, given a time window of DNS usage, makes use of features that attempt to capture the DNS social structure, including a heuristic that estimates group composition. Our detection mechanism has been successfully validated (in a simulated and controlled setting) and with it the suitability of our abstraction to detect flooding attacks. To the best of our knowledge, this is the first time that work is successful in using this abstraction to detect these kinds of attacks at the recursive level. Before concluding the paper, we motivate further research directions considering this new abstraction, so we have designed and tested two additional experiments which exhibit promising results to detect other types of anomalies in recursive DNS servers. View Full-Text
Keywords: Domain Name System; anomaly detection; IDS/IPS sensors; flood attacks; DNS recursive servers; bicliques Domain Name System; anomaly detection; IDS/IPS sensors; flood attacks; DNS recursive servers; bicliques

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. (CC BY 4.0).

Scifeed alert for new publications

Never miss any articles matching your research from any publisher
  • Get alerts for new papers matching your research
  • Find out the new papers from selected authors
  • Updated daily for 49'000+ journals and 6000+ publishers
  • Define your Scifeed now

SciFeed Share & Cite This Article

MDPI and ACS Style

Alonso, R.; Monroy, R.; Trejo, L.A. Mining IP to Domain Name Interactions to Detect DNS Flood Attacks on Recursive DNS Servers. Sensors 2016, 16, 1311.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics



[Return to top]
Sensors EISSN 1424-8220 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top