Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers - - PowerPoint PPT Presentation

anomaly detection on dns auths
SMART_READER_LITE
LIVE PREVIEW

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers - - PowerPoint PPT Presentation

Sep 26, 2022 229 likes •362 views

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team SchabeltierAnomalizers RIPE 74 Budapest, Hungary 2017-05-09 1/12 Team Members (alphabetically) Christian Doerr (TU Delft) Ella Titova

slide-1
SLIDE 1

1/12

Anomaly Detection on DNS Auths

Root DNS, ccTLDs and DNS providers

Team ✭✭✭✭✭✭

SchabeltierAnomalizers

RIPE 74 Budapest, Hungary 2017-05-09

slide-2
SLIDE 2

2/12

Team Members (alphabetically)

◮ Christian Doerr (TU Delft) ◮ Ella Titova (VivaCell) ◮ Giovane Moura (SIDN Labs) ◮ Jan Harm Kuipers (University of Twente/SIDN Labs) ◮ Moritz M¨

uller (SIDN Labs/University of Twente)

◮ Ricardo Schmidt (University of Twente) ◮ Wouter de Vries (University of Twente)

slide-3
SLIDE 3

3/12

Main Problem

Auth DNS Anomaly Detection

◮ How can we use Ripe Atlas data to automatically detect

failures (anomalies) on Auth DNS (Roots, ccTLDs, etc...)?

slide-4
SLIDE 4

4/12

Step-by-step - CHAOS/RTT

  • 1. Download Ripe datasets and parse them

◮ https://github.com/ripe-dns-anomaly/chaos ◮ parse-json.sh $startTime $endTime bins $mid ◮ start and end = timestamps ◮ bins= 600 (10minutes) ◮ mid = Ripe measurement ID

  • 2. Then, run anomaly detection per letter and site:

◮ https:

//github.com/ripe-dns-anomaly/anomalyDetector

◮ python letter-level-detector.py

data/k-root-ddos-20151130.csv

  • utput/k-root-ddos-20151130-ad-hoc.csv
  • 3. Then, it outputs anomalies per class type:

◮ https://github.com/ripe-dns-anomaly/

anomalyDetector/blob/master/README.md

slide-5
SLIDE 5

5/12

Step-by-step - Path

  • 1. Download Ripe datasets and parse them

◮ https://github.com/ripe-dns-anomaly/traceroute ◮ python traceget.py --start $startTime --end

$endTime --msmid $msmid

◮ start and end = timestamps ◮ msmid = atlas measurement id (5001 for K-root)

  • 2. Then, convert to AS Path (plus IXPs):

◮ https://github.com/ripe-dns-anomaly/traceroute ◮ java -jar

  • 3. Last step: anomaly detection and conversion to webformat

(JSON)

slide-6
SLIDE 6

6/12

AS Graph - Path change during Nov 30 2015 Root DNS Attack

slide-7
SLIDE 7

7/12

Algorithms for Anomaly Detection

◮ See discussion on

https://github.com/ripe-dns-anomaly/ anomalyDetector/blob/master/README.md

◮ Twitter’s robust TS analysis, ARIMA, ad-hoc ◮ We chose ad-hoc (ours) ◮ We need more time to evaluate the best one

slide-8
SLIDE 8

8/12

Overall reachability (K-root)

slide-9
SLIDE 9

9/12

Reachability London site (K-root)

slide-10
SLIDE 10

10/12

Path stability (K-root)

slide-11
SLIDE 11

11/12

”Ready” to be used by others

◮ Others being: ccTLDs, Roots, etc. ◮ Requirement: Ripe Atlas measurements with chaos.id

support and traceroute measurements

◮ Next: automate it to continuously probe it, detect and

notify

slide-12
SLIDE 12

12/12

Resources

◮ GitHub: https://github.com/orgs/ripe-dns-anomaly/ ◮ Demo: https://ripe-dns-anomaly.github.io