The Anomaly Detection Engine in DDI Central is designed to enhance network security posture through real-time detection of abnormal DNS and DHCP behavior. It leverages a dual approach: a comprehensive library of built-in detection rules tailored for known protocol-level anomalies, and Zoho’s ZIA AI engine, which applies machine learning models to identify advanced threats such as Domain Generation Algorithm (DGA) patterns.
By correlating behavioral patterns and traffic anomalies early in the lifecycle—often before external threat intelligence sources classify them—the engine enables timely containment and analysis. This proactive threat detection capability helps prevent the propagation of malicious activity within the network and ensures administrators can respond before service integrity or security is compromised.
| Anomaly | Key indicators | Example occurrence | Why it matters | Typical mitigation / DDI Central action |
|---|---|---|---|---|
| DGA (Domain Generation Algorithm) | High-entropy labels; very long labels; digit/hex-heavy patterns; suspicious TLDs (e.g. .xyz, .top), semantically crafted wordlist as domain names and seed based DGA domains | Host queries dozens of random-looking domains like xk3j9qz8a.top within minutes | Often indicates malware C2 or evasive domains | Block quries to domains, quarantine the hosts making queries from the nework. Admins can revive these hosts anytime after proper remediation. |
| DNS Tunneling | High query volume; TXT-heavy queries; long qnames/subdomains; Base64-like labels; periodic timing | Client sends TXT queries every 30s containing Base64 blobs to same domain | Covert exfiltration or C2 channel via DNS | Throttle queries using response rate limiting policies. The anomaly engine blocks queries, quarantine hosts making such queries. |
| Subdomain Enumeration | Large unique subdomain count (e.g., ≥30/≥60); sequential patterns (foo1, foo2…) | Scanner probes api1.example.com → api60.example.com within minutes | Reconnaissance for takeover or brute-force attacks | Rate-limit or block those subdomains, quarantine probing hosts. |
| Query Type Anomaly | Spike in rare qtypes (NULL, ANY, DS, DNSKEY); TXT >60% of queries | Client issues 80% of queries as TXT or NULL over 5 minutes | Uncommon qtypes can be used for tunneling or probing. | Blocks offending clients as well as the queries to such suspicious domains. |
| Windows-specific anomalies | Policy violations; excessive wpad. queries; high REFUSED rates | Many clients repeatedly query wpad.corp.local and receive REFUSED | WPAD abuse can be used for MITM | Enforce policies that block offending clients as well as such queries. Logs details for forensics in Anomaly reports. |
| RCODE anomalies | Spikes in NXDOMAIN/SERVFAIL/REFUSED; high failure ratio vs total responses | Resolver reports 70% NXDOMAIN responses in a short window | May indicate mass brute-force, resolver stress, or misconfiguration | Applies RRL response rate limiting, identifies and isolates offending sources and blocks all the domains they are accessing. |
| Anomaly | Key indicators | Example occurrence | Why it matters | Typical mitigation / DDI Central action |
|---|---|---|---|---|
| StaleLease | Lease end time < current time but entry still present in DB/files | 10.10.10.50 lease expired yesterday but remains listed | Orphaned records → inventory drift and confusion | Flags for cleanup by DNS scavenging if configured. Reconcile with DHCP server and removes stale lease entries. |
| LeaseDuration anomaly | Very short or very long lease durations compared to policy | Scopes issuing 1-minute leases causing churn | Misconfiguration → exhaustion risk or abuse persistence | Quickly blocks such hosts. Admin can revive them later and adjust scope lifetimes. |
| DuplicateIP | Same IP leased to multiple MACs simultaneously | 10.10.10.100 assigned to MAC A and MAC B at same time | IP conflicts, spoofing, service disruption | Quarantines all the conflicting MACs. |
| MultipleIPsPerMAC | A single MAC holds multiple IPs | Laptop MAC shows leases for 10.10.10.12 and 10.10.10.55 | Multi-homing or spoofing; inventory mismatch | Enforces immediate blocking until further investigation |
| RapidLease | Same MAC requesting many leases in a short timeframe | Device requests 200 leases over 2 minutes | Lease churn → DoS or exhaustion attempts | Quarantines the suspicious client |
| Starvation (DHCPv4 only. Not Applicable for DHCPv6) | Many unique MACs requesting leases rapidly | Hundreds of random MACs request leases in <5 mins; pool nearly depleted | DHCP pool exhaustion / starvation attack | Instantly blocks all the conflicting entities until further investigation |
| Anomaly | Key indicators | Example occurrence | Why it matters | Typical mitigation / DDI Central action |
|---|---|---|---|---|
| StaleLease (IPv6) | Expired lease still present in DB or files | 2001:db8:1::100 lease expired but remains listed | Orphaned addresses; inaccurate inventory | Block the conflicting entities until admin reconciles/cleansup the conflicting leases. |
| LeaseDuration (IPv6) | Lease duration unusually short (possible misconfiguration) or too long (may allow abuse). | IA_NA lifetime set to 1 minute causing churn | Misconfiguration or abuse persistence window | Enforce quarantines for the conflicting hosts until admin enforces limits over lease lifetimes for the subnet |
| DuplicateIP / DuplicateDUID | Same IPv6 assigned to multiple DUIDs or same DUID on multiple hosts | 2001:db8:1::10 appears from two different DUIDs | Address conflicts, spoofing, service disruption | Quarantine affected endpoints; investigate |
| MultipleIPsPerClient (DUID/IAID) | One client (identified by DUID or DUID+IAID) requesting multiple IP addresses | One client is requesting and receiving multiple IPs, using 10 different IAIDs under the same DUID. | Misuse or multi-interface abuse | Quickly blocks the client until admin investigates to identify if its from legit sources e.g., multi-interface routers, VMs, containerized apps), or via suspicious behaviour (e.g., misconfigurations, malicious clients trying to exhaust IPs). |
| RapidLease (IPv6) | Repeated rapid solicit/requests by same DUID/IAID | DUID issues 500 solicitations in 10 minutes | Lease churn / PD exhaustion attempts. May exhaust IPv6 leases or PDs, disrupting legitimate client access and DHCP stability. | Blocks offending clients until further investigation |
| Excessive IAIDs | A single DUID associated with many IAIDs | Single DUID shows 50 IAIDs assigned | Abnormal IAID inflation may indicate spoofing or compromised clients, leading to address allocation instability. | Blocks offending clients until further investigation |
DDI Central assigns a severity score to every detected anomaly described above to help teams understand its potential impact at a glance.
Likewise, a single suspicious domain may be flagged across multiple anomaly categories—such as DGA, tunneling, or suspicious TLDs—which compounds its overall risk score and elevates its severity.
To standardize interpretation, DDI Central classifies anomalies into four severity bands:
This stratification enables admins and leaders to prioritize investigation with clear, quantifiable thresholds—ensuring that high-risk patterns stand out immediately for rapid validation and response.