Classifying DNS Servers based on Response Message Matrix using Machine Learning

TL;DR

This paper presents a machine learning-based method to classify DNS servers as reflectors or legitimate by analyzing response message matrices, achieving high detection accuracy especially within the same day.

Contribution

It introduces a novel detection mechanism using a feature matrix from few packets and machine learning, improving detection of malicious DNS servers.

Findings

F1 score > 0.9 within same-day data

F1 score > 0.7 for different-day data

Effective detection of DNS reflectors using minimal packet data

Abstract

Improperly configured domain name system (DNS) servers are sometimes used as packet reflectors as part of a DoS or DDoS attack. Detecting packets created as a result of this activity is logically possible by monitoring the DNS request and response traffic. Any response that does not have a corresponding request can be considered a reflected message; checking and tracking every DNS packet, however, is a non-trivial operation. In this paper, we propose a detection mechanism for DNS servers used as reflectors by using a DNS server feature matrix built from a small number of packets and a machine learning algorithm. The F1 score of bad DNS server detection was more than 0.9 when the test and training data are generated within the same day, and more than 0.7 for the data not used for the training and testing phase of the same day.