Water torture attacks are a recently emerging type of Distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) servers. They generate a multitude of malicious queries with randomized, unique subdomains. This paper proposes a detection method and a filtering system for water torture attacks. The former is an enhancement of our previous effort so as to achieve packet-by-packet, on-the-fly processing, and the latter is an application of our current method mainly for defending recursive servers. Our proposed method detects malicious queries by analyzing their subdomains with a naïve Bayes classifier. Considering large-scale applications, we focus on achieving high throughput as well as high accuracy. Experimental results indicate that our method can detect attacks with 98.16% accuracy and only a 1.55% false positive rate, and that our system can process up to 7.44Mpps of traffic.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.25(2017) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.25.854------------------------------

Water torture attacks are a recently emerging type of Distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) servers. They generate a multitude of malicious queries with randomized, unique subdomains. This paper proposes a detection method and a filtering system for water torture attacks. The former is an enhancement of our previous effort so as to achieve packet-by-packet, on-the-fly processing, and the latter is an application of our current method mainly for defending recursive servers. Our proposed method detects malicious queries by analyzing their subdomains with a naïve Bayes classifier. Considering large-scale applications, we focus on achieving high throughput as well as high accuracy. Experimental results indicate that our method can detect attacks with 98.16% accuracy and only a 1.55% false positive rate, and that our system can process up to 7.44Mpps of traffic.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.25(2017) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.25.854------------------------------