Transcript Slide 1

Identifying DNS heavy
hitters in root servers
data
Minas Gjoka
CAIDA
University of California, Irvine
Motivation/Goals

Percentage of invalid traffic huge (~98%).
 Anycast
deployment alleviates the problem at
extra cost

Goals
 Characterize
the sources of invalid traffic.
 Identify solutions that could reduce traffic in
the components of the DNS architecture
Categorization of
generated invalid traffic
Implementation Errors
Misconfiguration
Zone
Level
Network
Level
Local
DNS
DNS Cache
Resolvers
Other
Malicious Activity
Attacks
Reconna
Fast Flux
issance
DNS Stub
Resolvers
Monitors
IPv6
Probers Deployment
Results and work in-progress
Blacklists
 Interarrival time
 Behavioral analysis
 Future work

Blacklists & DNS traffic

Do prefixes/ASes which contain the IPs
listed in DNSRBLs contribute unwanted
DNS traffic also?
 Misconfiguration
 Malicious
activity
Historical data from blacklists

Spamhaus*
XBL – IPs of hijacked PCs infected by illegal 3rd party
exploits
 SBL - IPs of spam sources and spam operations
 PBL - IP space assigned to broadband/ADSL customers.


UCEProtect*


IPs of spam sources
DShield*

Firewall logs – top 10000 IPs
* made available to us by Athina Markopoulou
Testing for correlation

Rank BGP prefixes/ASes.
 IPs
present in blacklist
 IPs or aggregated queries from DNS DITL
data

Increasing IP address space order.
Spamhaus XBL
Ranked by IPs in blacklist
Spamhaus XBL
Ranked by DNS queries to Roots
DNS Roots vs Spamhaus XBL
Cumulative Fraction of IPs
What about the other blacklists?

Spam – Spamhaus SBL/UCEProtect
 similar
output in BGP prefix/AS aggregation
level

Trying out other aggregation levels also.
Another use of DNSRBL

Spamhaus PBL contains IP ranges
assigned to Broadband/ADSL customers.
 Participating
ISPs
 Spamhaus seeded with NJABL/dynablock zone

DNS clients sending requests to the root

10%-44% belong to the PBL advertised ranges
Up to 44% of the sources are Broadband/ADSL customers
Characteristics of invalid queries

Identical, repeated and referral-not-cached
invalid queries constitute 73% in DITL
2008.
Calculate interarrival time for the same
query (domain name, type, class) received.

Interarrival time
Identical/Repeated/Referral-not-Cached
Requested zone names
Aggregated
Aggregation Example
a.b.c.d.e.com.
c.d.e.com.
Top-10 most requested
Requested Query Name
Percentage
com
19.66
net
17.26
dynamic.163data.com.cn
3.68
165.222.in-addr.arpa
3.67
240.124.in-addr.arpa
1.95
org
1.56
de
1.38
edu
1.38
ru
1.10
.
0.89
Why?
Possible explanations:
• Aggressive requerying
for delegation information
• Ingress filtering
• Poorly configured or
maintained zones
Behavior of DNS Resolvers

Wessels et al : Measurements and Laboratory
simulations of the upper DNS Hierarchy


Tested effect of network delay/loss to the root servers
Extend the tested configurations
Simulation setup
TLD
SLD
Root
Unbound
Windows
2K/2003
MaraDNS
BIND 4/8/9
PowerDNS
DJBDNS
DNS Client
Behavior of DNS Resolvers (2)

Goals

Quantify the load of tested misconfigurations to the root server
 Characterize a well-behaved DNS resolver
 Patterns of misbehaving DNS resolvers

Plans to test:

Other plausible network configurations
 Zone configurations


Negative caching



Lame Delegation
Configurations at resolvers/cachers and zones
Local DNS configurations
Additional configurations from RFC 4697 - Observed DNS Resolution
Misbehavior
Other future work

Focus on heavy hitters ( >10queries/sec)

Interarrival time
 Per
client
 Per prefix/AS

Extract patterns of invalid queries
Thank you