Presentation is loading. Please wait.

Presentation is loading. Please wait.

In the search of resolvers Jing Qiao 乔婧, Sebastian Castro – NZRS DNS-WG, RIPE 73, Madrid.

Published byTimothy Townsend Modified over 7 years ago

Similar presentations

Presentation on theme: "In the search of resolvers Jing Qiao 乔婧, Sebastian Castro – NZRS DNS-WG, RIPE 73, Madrid."— Presentation transcript:

1 In the search of resolvers Jing Qiao 乔婧, Sebastian Castro – NZRS DNS-WG, RIPE 73, Madrid

2 Domain Popularity Ranking Derive Domain Popularity by mining DNS data Noisy nature of DNS data Certain source addresses represent resolvers, the rest a variety of behavior Can we pinpoint the resolvers? Background RIPE 73 In the search of resolvers 2

3 Long tail of addresses sending a few queries on a given day Noisy DNS RIPE 73 In the search of resolvers 3

4 To identify resolvers, we need some data Base curated data 836 known resolvers addresses Local ISPs, Google DNS, OpenDNS 276 known non-resolvers addresses Monitoring addresses from ICANN Asking for www.zz--icann-sla-monitoring.nz Addresses sending only NS queries Data Collection RIPE 73 In the search of resolvers 4

5 Do all resolvers behave in a similar way http://blog.nzrs.net.nz/characterization-of-popular- resolvers-from-our-point-of-view-2/ Conclusions There are some patterns Primary/secondary address Validating resolvers Resolvers in front of mail servers Exploratory Analysis RIPE 73 In the search of resolvers 5

6 Can we predict if a source address is a resolver? 14 features per day per address Fraction of A, AAAA, MX, TXT, SPF, DS, DNSKEY, NS, SRV, SOA Fraction of NoError and NxDomain responses Fraction of CD and RD queries Training data Extract 1 day of DNS traffic (653,232 unique source addresses) Supervised classifier RIPE 73 In the search of resolvers 6

7 Training Model LinearSVC __________________________________________________________________________ Training: LinearSVC(C=1.0, class_weight='balanced', dual=True, fit_intercept=True, intercept_scaling=1, loss='squared_hinge', max_iter=1000, multi_class='ovr', penalty='l2', random_state=None, tol=0.0001, verbose=0) train time: 0.003s Cross-validating: Accuracy: 1.00 (+/- 0.00) CV time: 0.056s test time: 0.000s accuracy: 1.000 dimensionality: 14 density: 1.000000 classification report: precision recall f1-score support 0 1.00 1.00 1.00 73 1 1.00 1.00 1.00 206 avg / total 1.00 1.00 1.00 279 RIPE 73 In the search of resolvers 7 100% Accuracy! Success! Random Forest: 100% accuracy! K Neighbors: 100% accuracy!

8 Use the model with different days Resolver is represented as 1, and non-resolver as 0. Test the model df = predict_result(model, "20160301") df.isresolver_predict.value_counts() 1 645060 0 8172 df = predict_result(model,"20160429") df.isresolver_predict.value_counts() 1 529757 0 6243 df = predict_result(model,"20151212") df.isresolver_predict.value_counts() 1 453640 0 9279 RIPE 73 In the search of resolvers 8 Very high proportion of resolvers?

9 Most of the addresses classified as resolvers List of non-resolvers show a very specific behaviour Model is fitting that specific behaviour Improve the training data to include different patterns. Preliminary Analysis RIPE 73 In the search of resolvers 9

10 What if we let a classifier to learn the structure instead of imposing The same 14 features, 1 day’s DNS traffic Ignore clients that send less than 10 queries Reduce the noise Run K-Means Algorithm with K=6 Inspired by Verisign work from 2013 Calculate the percentage of clients distributed across clusters Unsupervised classifier RIPE 73 In the search of resolvers 10

11 K-Means Cost Curve RIPE 73 In the search of resolvers 11

12 Query Type Profile per cluster 12 RIPE 73 In the search of resolvers

13 Rcode profile per cluster 13 RIPE 73 In the search of resolvers

14 Flag profile per cluster RIPE 73 In the search of resolvers 14

15 How many known resolvers fall in the same cluster? How many known non- resolvers? Tested on both week day and weekend, 98% ~ 99% known resolvers fit in the same cluster Clustering accuracy 15 RIPE 73 In the search of resolvers

16 Another differentiating factor could be client persistence Within a 10-day rolling window, count the addresses seen on specific number of days Addresses sending traffic all the time will fit into known resolvers and monitoring roles Client persistence RIPE 73 In the search of resolvers 16

17 Client Persistence RIPE 73 In the search of resolvers 17

18 Resolvers persistence RIPE 73 In the search of resolvers 18 Do the known resolvers addresses fall into the hypothesis of persistence? What if we check their presence in different levels?

19 Resolvers persistence RIPE 73 In the search of resolvers 19

20 Identify unknown resolvers by checking membership to the “resolver like” cluster Exchange information with other operators about known resolvers. Potential uses: curated list of addresses, white listing, others. Future work RIPE 73 In the search of resolvers 20

21 This analysis can be repeated by other ccTLDs using authoritative DNS data Using open source tools Hadoop + Python Code analysis will be made available Easily adaptable to use ENTRADA Conclusions RIPE 73 In the search of resolvers 21

22 Contact: www.nzrs.net.nz jing@nzrs.net.nzjing@nzrs.net.nz, sebastian@nzrs.net.nz 22

Download ppt "In the search of resolvers Jing Qiao 乔婧, Sebastian Castro – NZRS DNS-WG, RIPE 73, Madrid."

Similar presentations

Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.

Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
WebMiningResearch ASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007.

WebMiningResearch ASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Three kinds of learning

Three kinds of learning
WebMiningResearchASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007 Revised.

WebMiningResearchASurvey Web Mining Research: A Survey Raymond Kosala and Hendrik Blockeel ACM SIGKDD, July 2000 Presented by Shan Huang, 4/24/2007 Revised.
Evaluation of MineSet 3.0 By Rajesh Rathinasabapathi S Peer Mohamed Raja Guided By Dr. Li Yang.

Evaluation of MineSet 3.0 By Rajesh Rathinasabapathi S Peer Mohamed Raja Guided By Dr. Li Yang.
A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.

A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.
Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.

Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.
ML ALGORITHMS. Algorithm Types Classification (supervised) Given -> A set of classified examples “instances” Produce -> A way of classifying new examples.

ML ALGORITHMS. Algorithm Types Classification (supervised) Given -> A set of classified examples “instances” Produce -> A way of classifying new examples.
1 A Survey of Affect Recognition Methods: Audio, Visual, and Spontaneous Expressions Zhihong Zeng, Maja Pantic, Glenn I. Roisman, Thomas S. Huang Reported.

1 A Survey of Affect Recognition Methods: Audio, Visual, and Spontaneous Expressions Zhihong Zeng, Maja Pantic, Glenn I. Roisman, Thomas S. Huang Reported.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Data Mining: A Closer Look

Data Mining: A Closer Look
Team HauntQuant October 25th, 2013

Team HauntQuant October 25th, 2013
Big data analytics with R and Hadoop Chapter 5 Learning Data Analytics with R and Hadoop 데이터마이닝연구실 2015.04.23 김지연.

Big data analytics with R and Hadoop Chapter 5 Learning Data Analytics with R and Hadoop 데이터마이닝연구실 김지연.
 C. C. Hung, H. Ijaz, E. Jung, and B.-C. Kuo # School of Computing and Software Engineering Southern Polytechnic State University, Marietta, Georgia USA.

 C. C. Hung, H. Ijaz, E. Jung, and B.-C. Kuo # School of Computing and Software Engineering Southern Polytechnic State University, Marietta, Georgia USA.
Introduction The large amount of traffic nowadays in Internet comes from social video streams. Internet Service Providers can significantly enhance local.

Introduction The large amount of traffic nowadays in Internet comes from social video streams. Internet Service Providers can significantly enhance local.
Research paper: Web Mining Research: A survey SIGKDD Explorations, June 2000. Volume 2, Issue 1 Author: R. Kosala and H. Blockeel.

Research paper: Web Mining Research: A survey SIGKDD Explorations, June Volume 2, Issue 1 Author: R. Kosala and H. Blockeel.

Similar presentations

Ads by Google