Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geoff Huston APNIC Labs

Published byLeslie Carter Modified over 6 years ago

Similar presentations

Presentation on theme: "Geoff Huston APNIC Labs"— Presentation transcript:

1 Geoff Huston APNIC Labs
Zombies Geoff Huston APNIC Labs

2 What we did: Run an online advertisement with an embedded measurement script The script caused the browser to fetch a number of 1x1 ‘blots’ To ensure that we had a clear view of the actions of the user and the DNS resolvers they use, we used unique URL labels.

3 Ad Impressions per Day We are currently serving some 8 M

4 URL Load We are generating some 24 million DNS queries for “unique” DNS names per day And similarly performing some 24 million HTTP blot fetches for “unique” URLs per day

5 “Unique”? What is meant by “unique”?
The DNS name is queried by a single endpoint once and only once(*) – never again! (And the name includes a subfield of the time it was created) The TTL of the record is 1 second The URL fetch is performed by a single endpoint once and only once – and never again! Which means that we should see one query for the name at the authoritative name server * Well not quite, 25% of the time its queried twice, and sometimes more, but its all triggered by a single resolution action initiated by the endpoint – all these queries are clustered together in time

6 What do we see? [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A

7 What do we see? 2015-12-15 03:54:33 query time
[x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A

8 What do we see? 2015-12-15 03:54:33 query time 2015-11-21 06:30:30
[x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A :30:30 :22:59 :43:46 The time that the ad was created!

9 What do we see? Diff == Zombie Time! CreationTime Query Time
[x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.uc86fd1d9.s i5112.vxxxx.3b460.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.u953a6ea5.s i5112.vxxxx.06ca0.z.dotnxdomain.net A [x] 15-Dec-2015 query: z.t10000.ub46e3821.s i5112.vxxxx.0c914.z.dotnxdomain.net A Query Time CreationTime Diff == Zombie Time!

10 One Day, One DNS Server

11 One Day, One DNS Server

12 60 Days, All DNS Servers 50% of all zombie queries are more than 6 months old!

13 180 Days, All DNS Servers 72,444,600,088 DNS queries, of which 22,168,989,627 are zombies – a 31% zombie rating!

14 180 Days, All DNS Servers 31% of all the queries we see at our authoritative name servers are completely bogus! 72,444,600,088 DNS queries, of which 22,168,989,627 are zombies – a 31% zombie rating!

15 Zombie Queries per day 2/3 of all queries occur once per day

16 Zombie Repeats per day

17 What is causing this? Is this the result of a collection of deranged DNS recursive resolvers with an obsession about never forgetting a thing? Or web proxies that just have too much time (and space) on their hands and want to fill all that space with a vast collection of identical 1x1 pixel gifs? Let’s look at web zombies …

18 Zombie URL Age Distribution

19 Zombie URL Age Distribution
50% of all zombie URLs are less than 4 days old

20 Zombie URL Repeats

21 DNS vs URLs Web DNS zombies are living their own zombie half life! They are not the hell spawn of zombie URLS! DNS

22 What is causing this? Is this the result of a collection of deranged DNS recursive resolvers with an obsession about never forgetting a thing? Or web proxies that just have too much time (and space) on their hands and want to fill all that space with a vast collection of identical 1x1 pixel gifs? Let’s look at web zombies …

23 Who Are These Deranged Resolvers?
Resolver Current Zombie Ratio ASN CC AS Name ,978,931 4,610,444,812 1, GT Telgua, Guatemala ,124,423 1,006,797, JO JUNET Jordanian Universities, Jordan ,868, ,945, CA ADITY-OSH - Aditya Birla Minacs, Canada ,034, ,314, US Missouri Research and Edu., United States ,038,416 81,862, US Team Cymru Inc. United States ,486, ,724, DZ TDA-AS,DZ Algeria ,041, ,155, DZ TDA-AS,DZ Algeria ,697, ,364, JO JUNET Jordanian Universities, Jordan ,975, ,821, CA MINACS - Minacs Inc, Canada ,929,881 11,720, US Team Cymru Inc, United States ,905,028 54,952, US Team Cymru Inc, United States ,637,788 30,212, US Team Cymru Inc, United States ,436,258 22,478, US Team Cymru Inc, United States ,986 39,623, BR COPEL Telecom S.A. Brazil ,632,910 17,868, US Network Maryland, US United States ,637,567 1,356, US AMAZON-02 - Amazon.com, United States ,331, , US AMAZON-02 - Amazon.com, United States ,259,591 12,759, BB Columbus Telecommunications, Barbados

24 Three Zombie Factories
The stalkers – query many different DNS names

25 Three Zombie Factories
The stalkers The storers – repeat queries for the same DNS Name

26 Three Zombie Factories
The totally Deranged! The stalkers The storers

27 The Stalkers Resolver Current Zombie Ratio ASN CC AS Name ,038,416 81,862, US Team Cymru Inc, United States ,905,028 54,952, US Team Cymru Inc, United States ,637,788 30,212, US Team Cymru Inc, United States ,436,258 22,478, US Team Cymru Inc, United States ,929,881 11,720, US Team Cymru Inc, United States ,519,461 5,519, US Blue Coat Systems, Inc, United States ,472,109 2,472, NL LGI-UPC Liberty Global Operations, Netherlands ,401,930 2,401, NL LGI-UPC Liberty Global Operations, Netherlands ,480,634 1,480, US AMAZON-02 - Amazon.com, Inc, United States ,479,066 1,479, US AMAZON-02 - Amazon.com, Inc, United States ,423,147 1,423, US AMAZON-02 - Amazon.com, Inc, United States ,637,567 1,356, US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , CN China Internet Network Information Center, China , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , US AMAZON-02 - Amazon.com, Inc, United States , , TW HINET Data Communication Business Group, Taiwan , , TW HINET Data Communication Business Group, Taiwan , , NL KPN, Netherlands , , US Nominum, Inc, United States

28 The Storers (and the totally deranged!)
Resolver Current Zombie Zombie ASN CC AS Name Uniques Repeats Uniques Repeats Repeat Ratio ,238 10,501, ,780,601 1,211, CA Aditya Birla Minacs Worldwide, Canada ,495 35,034, ,739,995 1,050, US MOREnet, United States ,978,931 6,462 4,704,634, , GT Telgua, Guatemala ,167, ,079, , CA MINACS – Minacs, Canada ,201 14,435,262 3,094 1,019,572, , JO JUNET Jordanian Universities, Jordan , ,338, , US Aeneas Internet Services, United States , ,154, , IN Reliance Communications, India , ,534, , BR COPEL Telecom, Brazil , , , ES SOGECABLE, Spain ,946, , , US Comcast, United States ,830 37,012,512 1, ,438, , LY LITC, Libya , ,522,810 89, BR Terremark do Brasil, Brazil , ,269 72, US Cogent Communications, United States , ,973 72, UA ITM IT-MARK, Ukraine , ,729,929 64, US NETWORKMARYLAND, United States ,998 5,819,430 5, ,275,972 45, JO JUNET Jordanian Universities, Jordan , ,731,390 44, FR AS3215 Orange, France , ,727,063 44, FR AS3215 Orange, France ,823 1,634, ,286,366 38, US NETWORKMARYLAND, United States , ,976 30, US Integra Telecom, United States , ,921 28, GB WOLASN Wolseley, United Kingdom ,244 24, BR Brasil Telecom, Brazil , ,524 23, AO TVCaboAngola, Angola , ,797 22, US BELWAVE COMMUNICATIONS, United States , ,067 22, SA Cyberia Riyadh, Saudi Arabia , ,690,776 20, CL ENTEL, Chile , ,972 17, US ATT-INTERNET4, United States , ,221 15, US LS Networks, United States of America , ,635 12, CL E-money, Chile , ,705 11, RU MTS MTS PJSC, Russian Federation

29 We can use this…

30 DNS as storage Write(index,data) query = “data.index.storage” foreach i (0..100) { dig IN A query; }

31 DNS as storage Write(index,data) query = “data.index.storage” foreach i (0..100) { dig IN A query; } Read(index) wait(query, “index.storage”) return data

32 DNS as storage Write(index,data) query = “data.index.storage” foreach i (0..100) { dig IN A query; } Read(index) wait(query, “index.storage”) return data Delete(index) print(“I’m sorry Dave, I can’t do that”)

33 Thanks!

Download ppt "Geoff Huston APNIC Labs"

Similar presentations

SNC-Lavalin CORPORATE PRESENTATION NBADA October, 2007.

SNC-Lavalin CORPORATE PRESENTATION NBADA October, 2007.
Measuring IPv6 Geoff Huston APNIC Labs, February 2014.

Measuring IPv6 Geoff Huston APNIC Labs, February 2014.
Measuring the DNS from the Users’ perspective Geoff Huston APNIC Labs, May 2014.

Measuring the DNS from the Users’ perspective Geoff Huston APNIC Labs, May 2014.
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
Google AppEngine. Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast.

Google AppEngine. Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab
The User Side of DNSSEC Geoff Huston APNIC. What is DNSSEC? (the ultra-short version) DNSSEC adds Digital Signatures to DNS All DNS “data” is signed by.

The User Side of DNSSEC Geoff Huston APNIC. What is DNSSEC? (the ultra-short version) DNSSEC adds Digital Signatures to DNS All DNS “data” is signed by.
1 QUESTEL ORBIT.COM. 2 QUESTEL French company Producer and provider of online and internet services Collection of patents, trademarks, designs, scientific-technical.

1 QUESTEL ORBIT.COM. 2 QUESTEL French company Producer and provider of online and internet services Collection of patents, trademarks, designs, scientific-technical.
1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.

1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
What is a Web Address?. What’s in a name? The URL (uniform resource locator) is just a technical word that means the address to a web page on the WWW.

What is a Web Address?. What’s in a name? The URL (uniform resource locator) is just a technical word that means the address to a web page on the WWW.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
The Status of APNIC’s IPv4 Resources: Exhaustion & Transfers Geoff Huston APNIC Labs.

The Status of APNIC’s IPv4 Resources: Exhaustion & Transfers Geoff Huston APNIC Labs.
Rome 30-31 May 2008. World demand trend Agricultural tractors Millions US $ Italian Institute for Foreign Trade.

Rome May World demand trend Agricultural tractors Millions US $ Italian Institute for Foreign Trade.
You have a web site. How do you make money from it? Get lots of targeted traffic to it. How do you get this traffic? Email Marketing Social Media Search.

You have a web site. How do you make money from it? Get lots of targeted traffic to it. How do you get this traffic? Marketing Social Media Search.
Measuring DNSSEC Geoff Huston APNIC Labs, June 2014.

Measuring DNSSEC Geoff Huston APNIC Labs, June 2014.
Statistics Project Wendy Kim & Tina Shin.  What is the most visited country in the world?

Statistics Project Wendy Kim & Tina Shin.  What is the most visited country in the world?
©2014 LinkedIn Corporation. All Rights Reserved. TALENT SOLUTIONS LinkedIn and the future of Recruitment Clara McCarthy Account Executive Search & Staffing.

©2014 LinkedIn Corporation. All Rights Reserved. TALENT SOLUTIONS LinkedIn and the future of Recruitment Clara McCarthy Account Executive Search & Staffing.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.

DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.

Similar presentations

Ads by Google