Attack Forensics DNS logs

Attack Forensics
DNS logs
The attacker must use DNS to determine the actual IP address of the
target before launching the attack. If this is done automatically the time
of the DNS query and the time of the attack might be quite close
together, and it may also be possible to determine the identity of the
attacker’s DNS resolver by looking at the DNS queries around the time
of the start of the attack. It may also be extremely useful to compare the
DNS logs form different systems that have been attacked: one may be
able to identify a small set of hosts making the queries right before the
attack.
Control Channel Detection
Detecting large volumes of control channel traffic is a likely indicator
that the actual attacker or attack coordinator is close to the detector.
Implementing a treshold-based detector that looks for a certain number
of control channel packets within a certain time interval may be a good
way to provide an early warning of an attack and also provide insight
into the network and geographic location of the attacker.
Correlation and Integration
By integrating an attack detector with other tools that can trace spoofed
packets, it may be possible to automate the location of the attacker. By
correlating data from control channel detectors and flood detectors, it
may be possible to determine which control channel caused which
flood, or it may be possible to follow spoofed signals from hop to hop,
or from attack server to target. For instance, identifying the closest
attack source hop may serve to minimize the effect of the source IP
range based filtering response.