DNS Kaminsky attack graph
Graph
Analysis
First of all, this graph was generated from a set of 3000 events. The picviz file was generated using the named2picviz.pl script.
When we look at the timeline field, as in the picture below, you can see easily that red events are very regular. Exactly a worm behavior:
Then, on the Source field, which is the IPv4 address of incoming logs, only one single source is seen:
We could see the source IP address using the picviz-gui frontend, and move the mouse on the correct line.
Attachments
- bind-kaminsky.png (91.5 kB) - added by toady on 08/04/08 16:21:31.
- dns-kaminsky-zoomtimeline.png (13.2 kB) - added by toady on 08/04/08 16:22:03.
- dns-kaminsky-frontendsource.png (1.4 kB) - added by toady on 08/04/08 16:34:31.
