Measurement Study of Open Resolvers and DNS Server Version
•
0 likes•740 views
Measurement Study of Open Resolvers https://github.com/ytakano/ytakanospapers/tree/master/ic_2013 http://ytakano.github.io/
More Related Content
Viewers also liked
Similar to Measurement Study of Open Resolvers and DNS Server Version
Similar to Measurement Study of Open Resolvers and DNS Server Version (20)
More from Yuuki Takano
More from Yuuki Takano (14)
Recently uploaded
Recently uploaded (20)
Measurement Study of Open Resolvers and DNS Server Version
- 1. Measurement Study of Open Resolvers and DNS Server Version Internet Conference 2013 Yuuki Takano, Ruo Ando, Takeshi Takahasi, (NICT) Satoshi Uda, Tomoya Inoue (JAIST) 1
- 2. Summary n Probed whole IPv4 address space to collect open resolvers n Collected about 30 millions of DNS server addresses n Found about 25 millions of open resolver n Analyzed by reversely looking up, geographically mapping 2
- 3. Related Work DNS Amplification Attack n DNS Servers are abused to launch DDoS attack n abused as reflectors and amplifiers n query and response message sizes are quite different 3 DNS Servers, aka. Open Resolvers VictimAttacker ANY Queries Spoofed Src
- 4. Measurement Strategy n At first, send DNS A query without RD flag to collect DNS servers on the Internet n if a DNS server returned response with RA flag, it is open resolver n otherwise, it isn’t open resolver n After probing DNS servers by A query, then send query of VERSION.BIND n Furthermore, look reversely up DNS servers’ IP address 4
- 5. Measurement Architecture 5 In this section, we present our methodology to mea- sure DNS servers on the Internet. Figure 1 shows the architecture of the DNS server measurement system we designed and implemented. It consists of 4 com- ponents as follows. The Internet DB DNS Prober Reverse Lookupper A Query and VERSION.BIND Response Statistical Analyzer Reverse Lookup Result Figure1 DNS Measurement System Architecture rec ple Mo St A the lyz by Jav we W ou me DN
- 6. Measurement Target and Source n Target: whole IPv4 address space n Source: JAIST’s server n Date: July, 2013 n Measurement Time n A query and VERSION.BIND query: about 1 day n reverse lookup: about 5 days n statistical analysis: few hours n PC Spec n KVM Virtual Machine, 2 CPU, 4GB Memory n Hyper Visor, Intel Xeon 2GHz x 32, 6
- 7. DNS Servers and VERSION.BIND 7 Table2 Types of DNS Servers Total APNIC RIPE ARIN LACNIC AFRINIC other Type of DNS # # # # # # # BIND 9.x 4268442 806357 1530177 1126501 169268 121556 514583 † 1851362 551458 781954 176399 94385 117906 129260 BIND 8.x 35218 4588 21348 6663 974 32 1613 † 30444 4202 18958 5186 854 31 1213 BIND 4.x 3486 121 2751 440 43 0 131 † 2765 93 2256 348 11 0 57 Dnsmasq 1308653 692042 216273 75201 226880 32676 65581 † 1308381 692026 216028 75196 226877 32676 65578 Nominum Vantio 968041 553404 284852 20142 21205 70861 17577 † 967044 552650 284782 20125 21200 70736 17551 Nominum ANS 687 18 34 79 42 2 512 † 13 2 0 0 11 0 0 PowerDNS 373588 14215 329994 14360 2952 91 11976 † 372684 14207 329116 14354 2952 91 11964 Unbound 71781 16230 43507 6941 1510 1585 2008 † 23220 3281 14398 4638 315 312 276 NSD 33933 1731 11077 17182 322 13 3608 † 17 5 5 2 1 0 4 Windows series 11698 184 1077 85 10312 0 40 † 11342 129 865 67 10257 0 24 can’t detect 8281885 4012525 2367711 429450 690618 279903 501678 † 7658656 3911886 2118455 244682 670597 278183 434853 no version info 14927910 3457029 4505928 1442348 4025325 699029 798251 † 12746062 3050589 3465814 1179188 3919438 668399 462634 Total 30285322 9558444 9314729 3139392 5149451 1205748 1917558 † 24971990 8780528 7232631 1720185 4946898 1168334 1123414 †: open resolver †: open resolver
- 8. Version Distribution of BIND 9.x 8 Latest Versions: 9.9.3- P2 9.8.5-P2 9.7.7 (EOL) 9.6-ESV-R9-P1
- 9. 1st-to-3rd Level Domain Distribution of Open Resolver 9
- 10. Spammer Favored Domains 10 n Spamology: A Study of Spam Origins, Craig et.al., CEAS 2009 n TOP 2 origins of spam mail n hinet.net n 163data.com.cn
- 11. 1st-to-3rd Level Domain Distribution of Open Resolver in JP TLD 11
- 12. Country Distribution by GeoIP Lite 12
- 13. Heat Map of Open Resolver 13
- 14. ANY Query and Detail 14 tribution of Nominum Vantio (All) Table3 Details of DNS Answer Section of Re sponse for ANY Query isc.org ripe.net RRSIG 1965 1304 DNSKEY 427 848 NSEC 53 38 SPF 112 - TXT 181 - NS 97 136 NAPTR 46 - A 16 16 AAAA 28 28 MX 24 50 SOA 54 52 Total 3005 2472 (bytes) n ANY query is used to launch DNS amplification attack n Amplification ratio n isc.org: request 64 bytes, response 3,245 bytes, ratio 50.7 n ripe.net: request 65 bytes, response 2,669 bytes, ratio 41.0 n Records of DNSSEC account for majority of response
- 15. DNSSEC Considered Harmful? n DNSSEC protect users from DNS injection attack n Great firewall in China, “The Collateral Damage of Internet Censorship by DNS Injection”, anonymous authors, SIGCOMM 2012 n However, DNSSEC bursts ratio of DNS amplification attack n Is this trade off? Exclusive? 15
- 16. Conclusion n Collected 30 millions DNS servers and 25 millions of open resolvers n Revealed there are many open resolvers on spammer favored domains n Revealed China, USA and Mexico are TOP 3 holders of open resolvers n DNSSEC significantly increases amplification ratio of DNS amplification attack 16
- 17. EOF 17