Infrastructure and Applications for Large-scale DNS statistics collection

No ratings

Presented at AUScert 2007 by

Keith Mitchell

The Internet's Domain Name System (DNS) is increasingly implicated both as a target and in perpetration of abuse, including botnets, phishing and pharming. Recent examples include the DDoS attack against the Internet root name servers in February 2007, and the use of DNS resolvers to amplify an attack against root and top-level domain operators in early 2006. Large-scale data gathering from the working DNS has various unique applications, both from a research perspective to better characterise the behaviour of the Internet as a whole, and from an operational perspective to detect, mitigate, trace, analyse, and prevent these types of abuse. Since 2004, ISC's OARC (Operations, Analysis and Research Center) has been providing the organisational framework and operational infrastructure to gather and share data from live top-level and root DNS operators to the research, abuse prevention, and law enforcement communities. This presentation describes the novel software tools and hardware platforms developed by OARC to enable this data gathering, and looks at some recent successful applications, including participation in a 48-hour global "Day In The Life of the Internet" collection exercise, and data gathered during the root server DDoS botnet attack of 6/7th February. OARC has also developed a number of tools for rapid and secure exchange of critical information between key trusted contacts at DNS operators; the use of these to date and their proposed evolution is explored.