Behavior of DNS’ Top Talkers, a .com/.net View

Osterweil, Eric; McPherson, Danny; DiBenedetto, Steve; Papadopoulos, Christos; Massey, Dan

doi:10.1007/978-3-642-28537-0_21

Cited by 12 publications

(10 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A small fraction of deployed DNS resolvers are serving the majority of the DNS queries. This observation is consistent with that of prior measurement studies by Pang et al [41] in 2004 and Osterweil et al [38] in 2012. Interestingly, the vast majority of inactive resolvers belong to a European educational institution We subsequently learned that DNS experiments are conducted at these institutions, and speculate that ongoing DNS experiments may be the reason behind the large number of inactive DNS resolvers.…”

Section: A High-level Characteristicssupporting

confidence: 93%

Reexamining DNS From a Global Recursive Resolver Perspective

Gao

Yegneswaran

Jiang³

et al. 2016

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

show abstract

Section: A High-level Characteristicssupporting

confidence: 93%

Reexamining DNS From a Global Recursive Resolver Perspective

Gao

Yegneswaran

Jiang³

et al. 2016

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

show abstract

“…None queried for ad.doubleclick.net, the most commonly misdirected ad host. Further, the forwarders queried for several thousand host names during the course of a day but the peak query rate observed from any forwarder was 500 queries per minute, which is lower than one would expect from busy resolvers [33]. Finally, the Russian forwarders were busier and exhibited little in the way of diurnal patterns, possibly indicating the diversity of victims around the globe.…”

Section: Malicious Resolversmentioning

confidence: 93%

“…255 Level Domain (TLD) infrastructure, and its instances of the global DNS root zone. Verisign services over a billion DNS queries per day, hosts well over one hundred million domain names, and because of .com's and .net's popularity, one could argue that almost every heavily used DNS resolver will eventually send queries to this infrastructure [33]. Additionally, Verisign's infrastructure is composed of multiple sites around the world and on several continents.…”

Section: Malicious Resolversmentioning

confidence: 99%

“…Additionally, Verisign's infrastructure is composed of multiple sites around the world and on several continents. Thus, DNS resolvers that follow the pinning and polling behavior described in [33] would likely issue portions of their query load to multiple servers, but ultimately pin themselves to the topologically closest site for the bulk of their queries. We examined data taken on October 20th, 2011, prior to the take-down of attack infrastructure.…”

Section: Malicious Resolversmentioning

confidence: 99%

See 1 more Smart Citation

Dissecting ghost clicks

Alrwais

Gerber

Dunn

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

FBI's Operation Ghost Click, the largest cybercriminal takedown in history, recently took down an ad fraud infrastructure that affected 4 million users and made its owners 14 million USD over a period of four years. The attackers hijacked clicks and ad impressions on victim machines infected by a DNS changer malware to earn ad revenue fraudulently. We experimented with the attack infrastructure when it was in operation and present a detailed account of the attackers' modus operandi. We also study the impact of this attack on real-world users and find that 37 subscriber lines were impacted in our data set. Also, 20 ad networks and 257 legitimate Web content publishers lost ad revenue while the attackers earned revenue convincing a dozen other ad networks that their ads were served on websites with real visitors. Our work expands the understanding of modalities of ad fraud and could help guide appropriate defense strategies.

show abstract

“…Beside premium services, such public DNSes offer the service at no cost while making revenues through advertisements, web traffic redirection and mining of DNS data. Although the DNS is perceived as a critical infrastructure [2], all publicly available DNS traffic monitoring tools [3] [4] focus only on aggregate values such as the type and number of queries received by a DNS server [5]. Research and academia have focused on DNS for the purpose of identifying malicious activities [6] [7] [8], managing large DNS infrastructures [9], understanding how DNS server selection and caching works in reality [10] [11], and modeling its infrastructure in order to predict how DNS traffic will change under specific conditions [12].…”

Section: Introduction and Related Workmentioning

confidence: 99%

Graph theoretical models of DNS traffic

Deri

Mainardi

Martinelli

et al. 2013

2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

Abstract-The DNS is one of the core protocols on which the Internet is built upon. Hidden behind higher-level protocols such as email and web, it carries valuable information that can be exploited for understanding trends and preferences of the Internet community.In this paper we propose novel methodologies for modelling DNS traffic that allow Internet domains, DNS resolvers and their interactions to be represented effectively by means of graphs. DNS traffic collected at ".it" ccTLD DNS domain servers has been used to validate this work on a large scale. We found highly-skewed, fat-tailed domain and resolver degree frequencies, obeying power laws at least in their tails. These findings shed light on the the scale-free nature of the DNS ecosystem, where a few domains and a few resolvers are responsible for most of the DNS activity.

show abstract

Behavior of DNS’ Top Talkers, a .com/.net View

Cited by 12 publications

References 5 publications

Reexamining DNS From a Global Recursive Resolver Perspective

Reexamining DNS From a Global Recursive Resolver Perspective

Dissecting ghost clicks

Graph theoretical models of DNS traffic

Contact Info

Product

Resources

About