What is all that crap? Analysis of DNS root server bogus queries - - PowerPoint PPT Presentation

what is all that crap
SMART_READER_LITE
LIVE PREVIEW

What is all that crap? Analysis of DNS root server bogus queries - - PowerPoint PPT Presentation

Apr 28, 2023 471 likes •960 views

RIPE Network Coordination Centre What is all that crap? Analysis of DNS root server bogus queries Authors: Danil Snchez & Joost Pijnaker Education: System & Network Engineering Supervisors: Cees de Laat (UvA) Daniel

slide-1
SLIDE 1

http://www.ripe.net RIPE Network Coordination Centre

“What is all that crap?”

Analysis of DNS root server bogus queries

Authors: Daniël Sánchez & Joost Pijnaker Education: System & Network Engineering Supervisors: Cees de Laat (UvA) Daniel Karrenberg (RIPE NCC) Date: 07-02-2007 14:00

slide-2
SLIDE 2

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-3
SLIDE 3

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-4
SLIDE 4

http://www.ripe.net RIPE Network Coordination Centre

Organisation: RIPE NCC

http://www.ripe.net

slide-5
SLIDE 5

http://www.ripe.net RIPE Network Coordination Centre

Organisation: K-Root server

http://k.root-servers.org

slide-6
SLIDE 6

http://www.ripe.net RIPE Network Coordination Centre

Organisation: DNS Root server

http://faq.oneandone.co.uk

slide-7
SLIDE 7

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-8
SLIDE 8

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-9
SLIDE 9

http://www.ripe.net RIPE Network Coordination Centre

Project introduction

  • Problem definition
  • Research question
  • Research scope
  • Capture data
  • Tools
slide-10
SLIDE 10

http://www.ripe.net RIPE Network Coordination Centre

Project introduction: Capture data

slide-11
SLIDE 11

http://www.ripe.net RIPE Network Coordination Centre

Project introduction: Tools

  • Tcpdump
  • Ethereal
  • dnstop
  • Scripts (awk, Ruby)
slide-12
SLIDE 12

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-13
SLIDE 13

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-14
SLIDE 14

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-15
SLIDE 15

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-16
SLIDE 16

http://www.ripe.net RIPE Network Coordination Centre

Research: Bogus categories

  • A for A queries
  • Private IP reverse queries
  • Reserved IP reverse queries
  • Local domain queries
  • Invalid TLD queries
  • Identical query IDs queries
  • Repeated queries
  • TLD not cached queries
slide-17
SLIDE 17

http://www.ripe.net RIPE Network Coordination Centre

A for A queries

A? x.y.80.66.

slide-18
SLIDE 18

http://www.ripe.net RIPE Network Coordination Centre

Private IP reverse queries

PTR? 1.0.0.127.in-addr.arpa.

slide-19
SLIDE 19

http://www.ripe.net RIPE Network Coordination Centre

Reserved IP reverse queries

PTR? 192.168.253.241.in-addr.arpa.

slide-20
SLIDE 20

http://www.ripe.net RIPE Network Coordination Centre

Local domain queries

A? svr004.network.local.

slide-21
SLIDE 21

http://www.ripe.net RIPE Network Coordination Centre

Invalid TLD queries

A? Maschult1.Speedport_W_700V.

slide-22
SLIDE 22

http://www.ripe.net RIPE Network Coordination Centre

Same query IDs queries

id 5134, A? www.google.com. id 5134, A? www.os3.nl.

slide-23
SLIDE 23

http://www.ripe.net RIPE Network Coordination Centre

Repeated queries

IP x.y.96.200 A? www.os3.nl. IP x.y.96.200 A? www.os3.nl. IP x.y.96.200 A? www.os3.nl. IP x.y.96.200 A? www.os3.nl.

slide-24
SLIDE 24

http://www.ripe.net RIPE Network Coordination Centre

TLD not cached queries

IP x.y.96.200 A? www.os3.nl. IP x.y.96.200 A? www.google.nl.

slide-25
SLIDE 25

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-26
SLIDE 26

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-27
SLIDE 27

http://www.ripe.net RIPE Network Coordination Centre

Research: Filter capture data

slide-28
SLIDE 28

http://www.ripe.net RIPE Network Coordination Centre

Research: Filter capture data

17:10:34.283465 A? A-1FREEMAN.COM.INBOUND10.MXLOGIC.NET. 17:10:34.933914 A? A-1FREEMAN.COM.INBOUND10.MXLOGIC.NET. 17:10:35.203961 A? A-1FREEMAN.COM.INBOUND10.MXLOGIC.NET. 17:10:35.498391 A? A-1FREEMAN.COM.INBOUND10.MXLOGIC.NET. 17:10:34.283465 A? A-1FREEMAN.COM.INBOUND10.MXLOGIC.NET.

slide-29
SLIDE 29

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-30
SLIDE 30

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-31
SLIDE 31

http://www.ripe.net RIPE Network Coordination Centre

Research: Statistics

slide-32
SLIDE 32

http://www.ripe.net RIPE Network Coordination Centre

Research: Statistics

slide-33
SLIDE 33

http://www.ripe.net RIPE Network Coordination Centre

Research: Statistics

slide-34
SLIDE 34

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-35
SLIDE 35

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-36
SLIDE 36

http://www.ripe.net RIPE Network Coordination Centre

Research: Causes

  • Software bugs
  • A for A, Private IP reverse
  • Not updated software
  • A for A
  • Misconfigured software
  • Private IP reverse, TLD not cached
  • Firewalls
  • Repeated
slide-37
SLIDE 37

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-38
SLIDE 38

http://www.ripe.net RIPE Network Coordination Centre

Research

  • Determine bogus categories
  • Filter capture data
  • Statistics
  • Determine possible causes
  • Determine possible solutions
slide-39
SLIDE 39

http://www.ripe.net RIPE Network Coordination Centre

Research: Solutions

“Client” side:

  • Install and use stable software
  • Update software
  • Configure software appropriatly
slide-40
SLIDE 40

http://www.ripe.net RIPE Network Coordination Centre

Research: Solutions

“Server” side:

  • Access lists
  • u(RPF)
  • Contact software vendors
  • Contact the owners of “big” sources
  • Add additional servers
slide-41
SLIDE 41

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-42
SLIDE 42

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-43
SLIDE 43

http://www.ripe.net RIPE Network Coordination Centre

Conclusion

Statistics:

  • Total % of bogus:

AMS-IX: 80.70% NAP: 14.65%

  • Top 10 IP addresses responsible:

AMS-IX: 10.75% NAP: 42.40%

  • Sources: 3 or 4 octets?
slide-44
SLIDE 44

http://www.ripe.net RIPE Network Coordination Centre

Conclusion

Solutions:

  • Contact software vendors
  • Contact owners big sources
  • Add additional servers
slide-45
SLIDE 45

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-46
SLIDE 46

http://www.ripe.net RIPE Network Coordination Centre

Agenda

  • Organisation
  • Project introduction
  • Research
  • Conclusion
  • Questions
slide-47
SLIDE 47

http://www.ripe.net RIPE Network Coordination Centre

Questions?