DNS Based Detection of Spam Bots and Host Search Activity (original) (raw)

We carried out an entropy study on the DNS query traffic from the outside for a university campus network to the top domain DNS server in a university through April 1st, 2007 to July 31st, 2008. The following interesting results are given: (1) The random spam bots have been still alive and/or active in the campus network because we can observe that the unique source IP addresses-based DNS traffic entropy increases as well as the unique DNS query keywords-based one decreases frequently. (2) We have also observed a lot of the reverse name resolution access from the specific site on the campus IP address range. Therefore, it can be concluded that in the campus network, the random spam bots are still active and the campus network is also targeted by the attackers.