Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port and Message ID Analysis of Resolvers Querying.com/.net Name Servers David Blacka Matt Larson September 24, 2008 DNS OARC Meeting, Ottawa, Canada.

Published byHilary Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "Port and Message ID Analysis of Resolvers Querying.com/.net Name Servers David Blacka Matt Larson September 24, 2008 DNS OARC Meeting, Ottawa, Canada."— Presentation transcript:

1 Port and Message ID Analysis of Resolvers Querying.com/.net Name Servers David Blacka Matt Larson September 24, 2008 DNS OARC Meeting, Ottawa, Canada

2 2 Goals + Primary: ▪ Determine how many servers patched in wake of summer 2008 cache poisoning vulnerability – Examine UDP source port and DNS message ID distribution + Secondary: ▪ Examine EDNS0 usage – Interesting and easy to add to analysis ▪ Examine other.com/.net query metrics – Unique source IPs, recursive queries

3 3 Methodology + Analyze.com/.net queries for 24 hours ▪ Beginning midnight UTC on September 5, 2008 ▪ 11 of 13 names in.com/.net NS RRSet + Count each tuple ▪ Custom libpcap application ▪ Roll up counts from each name server to create grand totals across all name servers + Also, for each source IP: ▪ Count queries with OPT RR (EDNS0 capable) ▪ Count queries with DO (“DNSSEC OK”) bit set ▪ Track advertised maximum UDP buffer size

4 4 Totals + 34.2 billion queries analyzed + 28.3 billion unique tuples + 4,950,579 unique IP addresses ▪ 2632 bogons (0.053%) (Team Cymru definition) ▪ Bogons mostly RFC 1918 + 3,004,936 addresses (60%) sent at least 10 queries ▪ Our minimum threshold for port/message ID analysis ▪ 1455 bogons (0.048%) in this set + A lot of data: $ ls -lh distilled.2008-09-05 -r--r--r-- 1 matt matt 817G Sep 10 17:46 distilled.2008-09-05

5 5 Query Distribution

6 6 Query Distribution (2) Queries receivedSource IP addresses <= 101,992,508 <= 1001,036,271 <= 1,0001,082,181 <= 10,000583,276 <= 100,000218,293 <= 1,000,00033,026 <= 10,000,0004,799 <= 100,000,000225

7 7 Top Queriers

8 8 + A measure of the variability or dispersion of a set of data + For a discrete data set (like ports, query IDs), calculated as: + Zero = no variation in data (e.g., just one port) + Uniform discrete distribution calculated as: +  (standard dev.) of 0  65535 = 18918.61361 + Low  = data clustered near mean + High  = data clustered away from mean Definition: Standard Deviation sample data: mean is 50, standard deviation is 20

9 9 + A normalized form of standard deviation: +  = standard deviation of the uniform distribution + s = the calculated standard deviation from data + Basically, folds high std. dev. over , then normalizes to 0  1 + Low Q = not close to uniform distribution + High Q = close to uniform distribution + Not a measurement of randomness ▪ E.g., a non-uniform distribution could also have high Q Definition: Q

10 10 Definition: “bits” + Attempts to be a measure of how many bits of field are being used + Similar to formula used by entropy.dns-oarc.net + Based on modified range value: ▪ Range = max - min ▪ M = # of unique ports / min(total ports, 65536) ▪ MR = Range * M ▪ “bits” = log 2 (MR) + Substitute “query id” for “ports”, etc. + High “bits” = wide range of ports, mostly different ports + Low “bits” = narrow range of port and/or not many different ports + Not a measure of randomness ▪ E.g., a sequential series would have high “bits” value

11 11 Analysis Methodology + Examined all source IPs sending at least ten queries ▪ 3,004,936 IP addresses remained + Calculated standard deviation, Q and “bits” across each IP address’s: ▪ UDP source ports (16 bits) ▪ DNS message IDs (16 bits) ▪ tuples (32 bits) + Attempted to classify patched vs. unpatched resolvers ▪ Primarily using source port ▪ Hard! + Examined message ID variability ▪ True randomness calculation impossible, since query order lost in data collection method

12 12 UDP Source Ports: Standard Deviation (1)

13 13 UDP Source Ports: Standard Deviation (2)

14 14 UDP Source Ports: Q

15 15 UDP Source Ports: “bits”

16 16 DNS Message IDs: Standard Deviation

17 17 DNS Message IDs: Q

18 18 DNS Message IDs: “bits”

19 19 Port + Message ID: Standard Deviation

20 20 Port + Message ID: “bits”

21 21 Conclusions + Message IDs: most queriers look good ▪ A very few have both constant Message ID and source port, 1341 + Likely Patched vs. Obviously Unpatched vs. Maybe Patched ▪ Likely Patched = wide range of ports, not much repetition ▪ Obviously Unpatched = very narrow range, much repetition ▪ Maybe Patched = narrow range, not much repetition + “bits” Metric (ports) ▪ Likely Patched, > 15.4 bits = 18.9% ▪ Obviously Unpatched, 0 bits = 29.7% ▪ Maybe Patched = 51.4% + Q Metric (ports) ▪ Likely Patched, > 0.8 = 18.3% ▪ Obviously Unpatched, is < 0.1 = 28.0% ▪ Maybe Patched = 53.7%

22 22 EDNS0 + Calculated EDNS0 capability of: ▪ Total queries received ▪ Total source IP addresses seen + Surprisingly low EDNS0 deployment

23 23 EDNS0 Buffer Sizes

24 24 Recursive Queries + Lots of recursive queries ▪ 17.6% of total queries had RD set ▪ 25.8% of total queriers (source IP addresses) sent exclusively recursive queries ▪ 50,714 queriers (1.02%) sent a combination of recursive and non- recursive – But that could be running dig or nslookup on a host also running a recursive name server + What sends exclusively recursive queries? ▪ Lots of different implementations, according to fpdns ▪ No smoking gun ▪ Hypothesis: misguided administrators configure a.com/.net name server IP address as a forwarder

25 25 Recursive Querying Source IPs Fingerprinted

26 26 Questions + Answers

Download ppt "Port and Message ID Analysis of Resolvers Querying.com/.net Name Servers David Blacka Matt Larson September 24, 2008 DNS OARC Meeting, Ottawa, Canada."

Similar presentations

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 02.25.2009.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Agricultural and Biological Statistics

Agricultural and Biological Statistics
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:

A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Similar presentations

Ads by Google