Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine.

Slides:



Advertisements
Similar presentations
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Advertisements

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
EECS122 - UCB 1 CS 194: Distributed Systems: Naming Computer Science Division Department of Electrical Engineering and Computer Sciences University of.
Week Seven Attendance Announcements Current Week Information Upcoming Assignments Review multiple question midterm exam.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Application Layer At long last we can ask the question - how does the user interface with the network?
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Chapter 5 - TRANSPORT and NETWORK LAYERS - Part 2 - Static and Dynamic Addressing Address Resolution Dr. V.T. Raja Oregon State University.
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Module 12: Domain Name System (DNS)
DNS (DOMAIN NAME SYSTEM) Betül ŞAHİN Real Life Analogy: Telephone Example Telephone connection Source: Child Destination: Dad Information.
Chapter 25 Domain Name System
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 2 Methods Configuring Name Resolution Methods.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
 Uniform Resource Identifier (URI)  Uniform Resource Locator (URL)  Uniform Resource Name (URN) URL includes.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 10 Omar Meqdadi Department of Computer Science and Software Engineering University.
Internet Address and Domain Name Service (DNS) CS587x Lecture Department of Computer Science Iowa State University.
Ch-9: NAME SERVICES By Srinivasa R. Gudipati. To be discussed.. Fundamentals of Naming Services Naming Resolution The Domain Name System (DNS) Directory.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
Architecture of DNS CS 718 Activity 4 Submitted by Parag Abhyankar Anup S. Kunte
CHAPTER 4 PLANNING A NAME RESOLUTION STRATEGY. Determining Name Resolution Requirement What is name resolution ? ◦ The name into 32-bit IP address conversion.
Chapter 17 Domain Name System
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
DNS based IP NetLocation Service China Telecom Guangzhou Institute
Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.
Development of the domain name system Baoning Wu 01/30/2003.
1 Kyung Hee University Chapter 18 Domain Name System.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
1 Domain Name System (DNS). 2 3 How DNS Works Application Transport Internet Network Application Transport Internet Network DNS Resolver Name Server.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Internet Address and Domain Name Service (DNS)
CS 3830 Day 10 Introduction 1-1. Announcements r Quiz #2 this Friday r Program 2 posted yesterday 2: Application Layer 2.
EE 122: Lecture 20 (Domain Name Server - DNS) Ion Stoica Nov 15, 2001 (* based on the some on-line slides of J. Kurose & K. Rose and of Raj Jain)
Summary DNS DNS Alexandra Tolbert Benefits How It Works Basics Katherine Barrios DNS Parts Phillip Nelson.
© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to
Internet Address and Domain Name Service (DNS) CS587x Lecture 5 Department of Computer Science Iowa State University.
DNS Measurement at a Root Server Nevil Brownlee, kc Claffy and Evi Nemeth Presented by Zhengxiang Pan Mar. 27 th, 2003.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Web Server Administration Chapter 4 Name Resolution.
Informatics Institute of Technology 3SFE611 Network Design 1 DNS (Domain Name System) RFC1035 Why names? Computers use addresses. Humans cannot remember.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Geoff Huston APNIC March 2017
Chapter 25 Domain Name System.
The Internet.
DNS.
Lame DNS Server Sweeping
Internet Applications
Net 323 D: Networks Protocols
EE 122: Domain Name Server (DNS)
Chapter 25 Domain Name System.
INTERNET APPLICATIONS
Presentation transcript:

Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine

Motivation/Goals Percentage of invalid traffic huge (~98%).  Anycast deployment alleviates the problem at extra cost Goals  Characterize the sources of invalid traffic.  Identify solutions that could reduce traffic in the components of the DNS architecture

Categorization of generated invalid traffic

Results and work in-progress Blacklists Interarrival time Behavioral analysis Future work

Blacklists & DNS traffic Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also?  Misconfiguration  Malicious activity

Historical data from blacklists Spamhaus*  XBL – IPs of hijacked PCs infected by illegal 3rd party exploits  SBL - IPs of spam sources and spam operations  PBL - IP space assigned to broadband/ADSL customers. UCEProtect*  IPs of spam sources DShield*  Firewall logs – top IPs * made available to us by Athina Markopoulou

Testing for correlation Rank BGP prefixes/ASes.  IPs present in blacklist  IPs or aggregated queries from DNS DITL data Increasing IP address space order.

Spamhaus XBL Ranked by IPs in blacklist

Spamhaus XBL Ranked by DNS queries to Roots

DNS Roots vs Spamhaus XBL Cumulative Fraction of IPs

What about the other blacklists? Spam – Spamhaus SBL/UCEProtect  similar output in BGP prefix/AS aggregation level Trying out other aggregation levels also.

Another use of DNSRBL Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers.  Participating ISPs  Spamhaus seeded with NJABL/dynablock zone DNS clients sending requests to the root  10%-44% belong to the PBL advertised ranges Up to 44% of the sources are Broadband/ADSL customers

Characteristics of invalid queries Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL Calculate interarrival time for the same query (domain name, type, class) received.

Interarrival time Identical/Repeated/Referral-not-Cached

Requested zone names Aggregated a.b.c.d.e.com. c.d.e.com. Aggregation Example

Top-10 most requested Requested Query NamePercentage com19.66 net17.26 dynamic.163data.com.cn in-addr.arpa in-addr.arpa1.95 org1.56 de1.38 edu1.38 ru Why? Possible explanations: Aggressive requerying for delegation information Ingress filtering Poorly configured or maintained zones

Behavior of DNS Resolvers Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy  Tested effect of network delay/loss to the root servers Extend the tested configurations

Simulation setup

Behavior of DNS Resolvers (2) Goals  Quantify the load of tested misconfigurations to the root server  Characterize a well-behaved DNS resolver  Patterns of misbehaving DNS resolvers Plans to test:  Other plausible network configurations  Zone configurations Lame Delegation  Negative caching Configurations at resolvers/cachers and zones  Local DNS configurations  Additional configurations from RFC Observed DNS Resolution Misbehavior

Other future work Focus on heavy hitters ( >10queries/sec) Interarrival time  Per client  Per prefix/AS Extract patterns of invalid queries

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.