I want to identify when multiple queries arises from same IP address, then I want to analyze which one is legal /illegal that makes traffic over the DNS.
You have to specify which traffic is leagal/normal and which is abnormal/malicious. You specify it as your security policy. Then if any request violate that policy then that is malicious. otherwise normal.
You also create a dataset which specify which is normal and abnormal. then use any classifier or clustering techniques to distinguish normal and abnormal activities.
If you can't specify the normality of the query in advance, one way to generate that data set is by performing traffic behavior profiling (see the literature) to detect a pattern of the legality of the queries. Typically, illegal traffic behavior tend to show some patterns that are different than the legal ones such as; query time or periodicity of the queries, etc.
Actually, a query like"www.google.in" reaches DNS to match with its IP
address. When multiple queries from same IP address may leads to hang the
server.
yes, one can give more queries from same IP , but bots make use of
this and increase illegal traffic over the DNS.
Now my question is that hw to know/analysis these queries are legal or illegal...??
I have decided to assign Time-to-Live (TTL) for each queries....is this possible??
Please suggest any idea or technique to solve this problem
- Badges
- Science topic
- Similar topics
- Geoscience
- Asia
- India