1 / 21

Identifying DNS heavy hitters in root servers data

Identifying DNS heavy hitters in root servers data. Minas Gjoka. CAIDA University of California, Irvine. Motivation/Goals. Percentage of invalid traffic huge (~98%). Anycast deployment alleviates the problem at extra cost Goals Characterize the sources of invalid traffic.

alton
Download Presentation

Identifying DNS heavy hitters in root servers data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine

  2. Motivation/Goals • Percentage of invalid traffic huge (~98%). • Anycast deployment alleviates the problem at extra cost • Goals • Characterize the sources of invalid traffic. • Identify solutions that could reduce traffic in the components of the DNS architecture

  3. Categorization of generated invalid traffic

  4. Results and work in-progress • Blacklists • Interarrival time • Behavioral analysis • Future work

  5. Blacklists & DNS traffic • Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also? • Misconfiguration • Malicious activity

  6. Historical data from blacklists • Spamhaus* • XBL – IPs of hijacked PCs infected by illegal 3rd party exploits • SBL - IPs of spam sources and spam operations • PBL - IP space assigned to broadband/ADSL customers. • UCEProtect* • IPs of spam sources • DShield* • Firewall logs – top 10000 IPs * made available to us by Athina Markopoulou

  7. Testing for correlation • Rank BGP prefixes/ASes. • IPs present in blacklist • IPs or aggregated queries from DNS DITL data • Increasing IP address space order.

  8. Spamhaus XBL Ranked by IPs in blacklist

  9. Spamhaus XBLRanked by DNS queries to Roots

  10. DNS Roots vs Spamhaus XBLCumulative Fraction of IPs

  11. What about the other blacklists? • Spam – Spamhaus SBL/UCEProtect • similar output in BGP prefix/AS aggregation level • Trying out other aggregation levels also.

  12. Another use of DNSRBL • Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers. • Participating ISPs • Spamhaus seeded with NJABL/dynablock zone • DNS clients sending requests to the root • 10%-44% belong to the PBL advertised ranges Up to 44% of the sources are Broadband/ADSL customers

  13. Characteristics of invalid queries • Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008. • Calculate interarrival time for the same query (domain name, type, class) received.

  14. Interarrival timeIdentical/Repeated/Referral-not-Cached

  15. Requested zone namesAggregated Aggregation Example a.b.c.d.e.com. c.d.e.com.

  16. Top-10 most requested Why? • Possible explanations: • Aggressive requerying • for delegation information • Ingress filtering • Poorly configured or • maintained zones

  17. Behavior of DNS Resolvers • Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy • Tested effect of network delay/loss to the root servers • Extend the tested configurations

  18. Simulation setup

  19. Behavior of DNS Resolvers (2) • Goals • Quantify the load of tested misconfigurations to the root server • Characterize a well-behaved DNS resolver • Patterns of misbehaving DNS resolvers • Plans to test: • Other plausible network configurations • Zone configurations • Lame Delegation • Negative caching • Configurations at resolvers/cachers and zones • Local DNS configurations • Additional configurations from RFC 4697 - Observed DNS Resolution Misbehavior

  20. Other future work • Focus on heavy hitters ( >10queries/sec) • Interarrival time • Per client • Per prefix/AS • Extract patterns of invalid queries

  21. Thank you

More Related