210 likes | 341 Views
Identifying DNS heavy hitters in root servers data. Minas Gjoka. CAIDA University of California, Irvine. Motivation/Goals. Percentage of invalid traffic huge (~98%). Anycast deployment alleviates the problem at extra cost Goals Characterize the sources of invalid traffic.
E N D
Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine
Motivation/Goals • Percentage of invalid traffic huge (~98%). • Anycast deployment alleviates the problem at extra cost • Goals • Characterize the sources of invalid traffic. • Identify solutions that could reduce traffic in the components of the DNS architecture
Results and work in-progress • Blacklists • Interarrival time • Behavioral analysis • Future work
Blacklists & DNS traffic • Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also? • Misconfiguration • Malicious activity
Historical data from blacklists • Spamhaus* • XBL – IPs of hijacked PCs infected by illegal 3rd party exploits • SBL - IPs of spam sources and spam operations • PBL - IP space assigned to broadband/ADSL customers. • UCEProtect* • IPs of spam sources • DShield* • Firewall logs – top 10000 IPs * made available to us by Athina Markopoulou
Testing for correlation • Rank BGP prefixes/ASes. • IPs present in blacklist • IPs or aggregated queries from DNS DITL data • Increasing IP address space order.
What about the other blacklists? • Spam – Spamhaus SBL/UCEProtect • similar output in BGP prefix/AS aggregation level • Trying out other aggregation levels also.
Another use of DNSRBL • Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers. • Participating ISPs • Spamhaus seeded with NJABL/dynablock zone • DNS clients sending requests to the root • 10%-44% belong to the PBL advertised ranges Up to 44% of the sources are Broadband/ADSL customers
Characteristics of invalid queries • Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008. • Calculate interarrival time for the same query (domain name, type, class) received.
Requested zone namesAggregated Aggregation Example a.b.c.d.e.com. c.d.e.com.
Top-10 most requested Why? • Possible explanations: • Aggressive requerying • for delegation information • Ingress filtering • Poorly configured or • maintained zones
Behavior of DNS Resolvers • Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy • Tested effect of network delay/loss to the root servers • Extend the tested configurations
Behavior of DNS Resolvers (2) • Goals • Quantify the load of tested misconfigurations to the root server • Characterize a well-behaved DNS resolver • Patterns of misbehaving DNS resolvers • Plans to test: • Other plausible network configurations • Zone configurations • Lame Delegation • Negative caching • Configurations at resolvers/cachers and zones • Local DNS configurations • Additional configurations from RFC 4697 - Observed DNS Resolution Misbehavior
Other future work • Focus on heavy hitters ( >10queries/sec) • Interarrival time • Per client • Per prefix/AS • Extract patterns of invalid queries