Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geoff Huston APNIC Labs

Published byJuniper Short Modified over 6 years ago

Similar presentations

Presentation on theme: "Geoff Huston APNIC Labs"— Presentation transcript:

1 Geoff Huston APNIC Labs
Zombies Geoff Huston APNIC Labs

2 What we did: Run an online advertisement with an embedded measurement script The script caused the browser to fetch a number of 1x1 ‘blots’ To ensure that we had a clear view of the actions of the user and the DNS resolvers they use, we used unique URL labels.

3 Ad Impressions per Day We are currently serving some 4 M

4 URL Load We are generating some 12 million DNS queries for “unique” DNS names per day And similarly performing some 12 million HTTP blot fetches for “unique” URLs per day

5 “Unique”? What is meant by “unique”?
The DNS name is queried by a single endpoint once and only once(*) – never again! (And the name includes a subfield of the time it was created) The TTL of the record is 1 second The URL fetch is performed by a single endpoint once and only once – and never again! Which means that we should see one query for the name at the authoritative name server * Well not quite, 25% of the time its queried twice, and sometimes more, but its all triggered by a single resolution action initiated by the endpoint – all these queries are clustered together in time

6 What do we see? [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A

7 What do we see? 2015-12-15 03:54:33 query time 2015-11-21 06:30:30
[x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A :30:30 :22:59 :43:46 The time that the ad was created!

8 What do we see? Diff == Zombie Time! CreationTime Query Time
[x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A Query Time CreationTime Diff == Zombie Time!

9 One Day, One DNS Server

10 One Day, One DNS Server

11 60 Days, All DNS Servers

12 60 Days, All DNS Servers 50% of all zombie queries are more than 6 months old!

13 Zombie Repeats per day

14 Zombie Repeats per day 1 query every 3 seconds!

15 Zombie Repeats per day

16 Zombie Repeats per day 2/3 of all queries occur once per day

17 What is causing this? Is this the result of a collection of deranged DNS recursive resolvers with an obsession about never forgetting a thing? Or web proxies that just have too much time (and space) on their hands and want to fill that space with a vast collection of 1 pixel gifs? Let’s look at web zombies …

18 Zombie URL Age Distribution

19 Zombie URL Age Distribution
50% of all zombie URLs are less than 4 days old

20 Zombie URL Repeats

21 DNS vs URLs

22 Zombies It seems that on the Internet very little is allowed to be forgotten Daily refresh cycles operate on both URL and DNS caches in many parts of the net

23 DNS as storage Write(index,data) query = “data.index.storage” foreach i (0..100) { dig IN A query; }

24 DNS as storage Write(index,data) query = data.index.storage foreach i (0..100) { dig IN A query; } Read(index) wait(query,’index.storage’) return data

25 DNS as storage Write(index,data) query = data.index.storage foreach i (0..100) { dig IN A query; } Read(index) wait(query,’index.storage’) return data Delete(index) print(“I’m sorry Dave, I can’t do that”)

26 Thanks!

Download ppt "Geoff Huston APNIC Labs"

Similar presentations

Measuring IPv6 Geoff Huston APNIC Labs, February 2014.

Measuring IPv6 Geoff Huston APNIC Labs, February 2014.
Measuring the DNS from the Users’ perspective Geoff Huston APNIC Labs, May 2014.

Measuring the DNS from the Users’ perspective Geoff Huston APNIC Labs, May 2014.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:

A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
George Michaelson, Geoff Huston APNIC Measuring IPv6 Users.

George Michaelson, Geoff Huston APNIC Measuring IPv6 Users.
DNS and HTTP. Finally, the application layer! We have learned about: – Signals being sent on wires – Frames carried over dumb local networks – Packets.

DNS and HTTP. Finally, the application layer! We have learned about: – Signals being sent on wires – Frames carried over dumb local networks – Packets.
1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.

1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.

Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.
Measuring IPv6 Deployment Geoff Huston George Michaelson

Measuring IPv6 Deployment Geoff Huston George Michaelson
Web Metrics Terminology & Measurement. Visit A visit is a Web user with a unique address entering a Web site at some page for the first time that day.

Web Metrics Terminology & Measurement. Visit A visit is a Web user with a unique address entering a Web site at some page for the first time that day.
Target relevant customers. Remarketing with Google Remarketing with Google. Target customers who have already shown an interest in your business.

Target relevant customers. Remarketing with Google Remarketing with Google. Target customers who have already shown an interest in your business.
Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…

Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…
Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.

Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.

DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
What if Everyone Did It? Geoff Huston APNIC Labs.

What if Everyone Did It? Geoff Huston APNIC Labs.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.

Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
Introduction to Digital Analytics Keith MacDonald Guest Presentation.

Introduction to Digital Analytics Keith MacDonald Guest Presentation.

Similar presentations

Ads by Google