Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine.

Identifying DNS heavy hitters in root servers

dataMinas Gjoka

CAIDAUniversity of California, Irvine

Motivation/Goals

Percentage of invalid traffic huge (~98%). Anycast deployment alleviates the problem at

extra cost

GoalsCharacterize the sources of invalid traffic. Identify solutions that could reduce traffic in

the components of the DNS architecture

Misconfiguration

ZoneLevel

NetworkLevel

LocalDNS

Implementation Errors

DNS Cache Resolvers

DNS Stub Resolvers

Malicious Activity

Attacks Fast Flux

Other

Monitors ProbersIPv6

DeploymentReconnaissance

Categorization of generated invalid traffic

Results and work in-progress

Blacklists Interarrival time Behavioral analysis Future work

Blacklists & DNS traffic

Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also?MisconfigurationMalicious activity

Historical data from blacklists

Spamhaus* XBL – IPs of hijacked PCs infected by illegal 3rd party

exploits SBL - IPs of spam sources and spam operations PBL - IP space assigned to broadband/ADSL customers.

UCEProtect* IPs of spam sources

DShield* Firewall logs – top 10000 IPs

* made available to us by Athina Markopoulou

Testing for correlation

Rank BGP prefixes/ASes. IPs present in blacklist IPs or aggregated queries from DNS DITL

data Increasing IP address space order.

Spamhaus XBL Ranked by IPs in blacklist

Spamhaus XBLRanked by DNS queries to Roots

DNS Roots vs Spamhaus XBLCumulative Fraction of IPs

What about the other blacklists?

Spam – Spamhaus SBL/UCEProtectsimilar output in BGP prefix/AS aggregation

level

Trying out other aggregation levels also.

Another use of DNSRBL

Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers.Participating ISPsSpamhaus seeded with NJABL/dynablock zone

DNS clients sending requests to the root 10%-44% belong to the PBL advertised ranges

Up to 44% of the sources are Broadband/ADSL customers

Characteristics of invalid queries

Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008.

Calculate interarrival time for the same

query (domain name, type, class) received.

Interarrival timeIdentical/Repeated/Referral-not-Cached

Requested zone namesAggregated

a.b.c.d.e.com.

c.d.e.com.

Aggregation Example

Top-10 most requested

Requested Query Name Percentage

com 19.66

net 17.26

dynamic.163data.com.cn 3.68

165.222.in-addr.arpa 3.67

240.124.in-addr.arpa 1.95

org 1.56

de 1.38

edu 1.38

ru 1.10

. 0.89

Why?

Possible explanations:

• Aggressive requerying for delegation information

• Ingress filtering

• Poorly configured or maintained zones

Behavior of DNS Resolvers

Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy Tested effect of network delay/loss to the root servers

Extend the tested configurations

Simulation setup

Windows2K/2003

BIND 4/8/9DJBDNS

PowerDNS

MaraDNS

Root

TLD SLD

Unbound

DNS Client

Behavior of DNS Resolvers (2)

Goals Quantify the load of tested misconfigurations to the root server Characterize a well-behaved DNS resolver Patterns of misbehaving DNS resolvers

Plans to test: Other plausible network configurations Zone configurations

Lame Delegation Negative caching

Configurations at resolvers/cachers and zones Local DNS configurations Additional configurations from RFC 4697 - Observed DNS Resolution

Misbehavior

Other future work

Focus on heavy hitters ( >10queries/sec)

Interarrival timePer clientPer prefix/AS

Extract patterns of invalid queries

Thank you