Detecting Network Security Threats Using Domain Name System and NetFlow Traffic

With more and more organization in the world rely on the Internet to do their business or activity, the malicious attackers are always looking for ways to penetrate in organization internal network to achieve their malicious goals. The malicious activities may include spam distribution, denial of service, adware, identity theft and many other security threats. Many of the security perimeter devices only able to detect network security threats from external, organization is left with many undetected or even unknown internal security threats. Many of these network security threats can be detected by monitoring and analyzing network traffic. One of the emerging threats is Domain Name System (DNS) Distributed Denial of Service (DDoS) attack, which flood the authoritative DNS server with large amount of DNS request. We introduce a new method to detect DDoS attack by using Netflow traffic as the early indicator of DDOS attacks and DNS traffic to validate the DNS DDOS attack. We also showed that by measuring statistical entropy of Netflow traffic and statistical values of DNS NXDOMAIN response, our proposed model could be used to detect either low volume or high volume DDoS attack.