identifying dns heavy hitters in root servers data minas gjoka caida university of california,...
TRANSCRIPT
![Page 1: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/1.jpg)
Identifying DNS heavy hitters in root servers
dataMinas Gjoka
CAIDAUniversity of California, Irvine
![Page 2: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/2.jpg)
Motivation/Goals
Percentage of invalid traffic huge (~98%). Anycast deployment alleviates the problem at
extra cost
GoalsCharacterize the sources of invalid traffic. Identify solutions that could reduce traffic in
the components of the DNS architecture
![Page 3: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/3.jpg)
Misconfiguration
ZoneLevel
NetworkLevel
LocalDNS
Implementation Errors
DNS Cache Resolvers
DNS Stub Resolvers
Malicious Activity
Attacks Fast Flux
Other
Monitors ProbersIPv6
DeploymentReconnaissance
Categorization of generated invalid traffic
![Page 4: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/4.jpg)
Results and work in-progress
Blacklists Interarrival time Behavioral analysis Future work
![Page 5: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/5.jpg)
Blacklists & DNS traffic
Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also?MisconfigurationMalicious activity
![Page 6: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/6.jpg)
Historical data from blacklists
Spamhaus* XBL – IPs of hijacked PCs infected by illegal 3rd party
exploits SBL - IPs of spam sources and spam operations PBL - IP space assigned to broadband/ADSL customers.
UCEProtect* IPs of spam sources
DShield* Firewall logs – top 10000 IPs
* made available to us by Athina Markopoulou
![Page 7: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/7.jpg)
Testing for correlation
Rank BGP prefixes/ASes. IPs present in blacklist IPs or aggregated queries from DNS DITL
data Increasing IP address space order.
![Page 8: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/8.jpg)
Spamhaus XBL Ranked by IPs in blacklist
![Page 9: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/9.jpg)
Spamhaus XBLRanked by DNS queries to Roots
![Page 10: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/10.jpg)
DNS Roots vs Spamhaus XBLCumulative Fraction of IPs
![Page 11: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/11.jpg)
What about the other blacklists?
Spam – Spamhaus SBL/UCEProtectsimilar output in BGP prefix/AS aggregation
level
Trying out other aggregation levels also.
![Page 12: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/12.jpg)
Another use of DNSRBL
Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers.Participating ISPsSpamhaus seeded with NJABL/dynablock zone
DNS clients sending requests to the root 10%-44% belong to the PBL advertised ranges
Up to 44% of the sources are Broadband/ADSL customers
![Page 13: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/13.jpg)
Characteristics of invalid queries
Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008.
Calculate interarrival time for the same
query (domain name, type, class) received.
![Page 14: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/14.jpg)
Interarrival timeIdentical/Repeated/Referral-not-Cached
![Page 15: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/15.jpg)
Requested zone namesAggregated
a.b.c.d.e.com.
c.d.e.com.
Aggregation Example
![Page 16: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/16.jpg)
Top-10 most requested
Requested Query Name Percentage
com 19.66
net 17.26
dynamic.163data.com.cn 3.68
165.222.in-addr.arpa 3.67
240.124.in-addr.arpa 1.95
org 1.56
de 1.38
edu 1.38
ru 1.10
. 0.89
Why?
Possible explanations:
• Aggressive requerying for delegation information
• Ingress filtering
• Poorly configured or maintained zones
![Page 17: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/17.jpg)
Behavior of DNS Resolvers
Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy Tested effect of network delay/loss to the root servers
Extend the tested configurations
![Page 18: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/18.jpg)
Simulation setup
Windows2K/2003
BIND 4/8/9DJBDNS
PowerDNS
MaraDNS
Root
TLD SLD
Unbound
DNS Client
![Page 19: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/19.jpg)
Behavior of DNS Resolvers (2)
Goals Quantify the load of tested misconfigurations to the root server Characterize a well-behaved DNS resolver Patterns of misbehaving DNS resolvers
Plans to test: Other plausible network configurations Zone configurations
Lame Delegation Negative caching
Configurations at resolvers/cachers and zones Local DNS configurations Additional configurations from RFC 4697 - Observed DNS Resolution
Misbehavior
![Page 20: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/20.jpg)
Other future work
Focus on heavy hitters ( >10queries/sec)
Interarrival timePer clientPer prefix/AS
Extract patterns of invalid queries
![Page 21: Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine](https://reader030.vdocuments.us/reader030/viewer/2022013101/5697bf851a28abf838c878da/html5/thumbnails/21.jpg)
Thank you