spectroscopy of private dns update sources
play

Spectroscopy of Private DNS Update Sources Vocal and lyrics: Andre - PDF document

Oct 31, 2023 •128 likes •426 views

Spectroscopy of Private DNS Update Sources Vocal and lyrics: Andre Broido, Evi Nemeth, kc claffy & elves (broido, evi, kc) @ caida.org CAIDA/SDSC/UCSD WIAPP San Jose 22 jun 03 www.caida.org/presentations/ Acknowedgements Paul Vixie

  1. Spectroscopy of Private DNS Update Sources Vocal and lyrics: Andre Broido, Evi Nemeth, kc claffy & elves (broido, evi, kc) @ caida.org CAIDA/SDSC/UCSD WIAPP San Jose 22 jun 03 www.caida.org/presentations/

  2. Acknowedgements Paul Vixie Peter Losher Nevil Brownlee Betty Tso Yuen Young Hyun Brad Huffaker Margaret Murray Marina Fomenkov 2

  3. Part I Introduction 3

  4. DHCP Dynamic Host Configuration Protocol Configures IP addresses, gateways, nameservers automat- ically Has a server part and client part Server leases addresses etc. Client requests them and accepts them Client also requests renewals when lease gets short 4

  5. DNS Distributed Database of Names and IP Address Mappings Since 1996 can do dynamic updates DHCP gives an IP address DHCP tells DNS DNS updates zone’s A and PTR records Life is good 5

  6. RFC1918 Private Address Space Addresses in 10/8, 172.16/12, 192.168/16 For use inside an organization Dont need permission from anyone Should never leak outside local site Can use DHCP and dynamic DNS Life should be very good 6

  7. Root Servers DNS servers for the top of the tree Know about .com, .net, .org, .de, .uk, etc. Dont know about your private address space domains Don’t care either Getting zillions of updates for private address space The growth started in 2000 Life is not good 7

  8. AS112 Project Root servers overwhelmed by update load Always refuse all updates Delegated the private address zones to other servers prisoner.iana.org: 192.175.48.1 blackhole-1.iana.org: 192.175.48.6 blackhole-2.iana.org: 192.175.48.42 These are anycast servers Several machines have these IP addresses Addresses identify a service not a network interface Routing system finds closest server to bogus updater Any ISP can run one, see www.as112.net Life is getting better, but 8

  9. Updates per minute by Internet Registry, D1 20000 amer asia euro 15000 #updates per minute 10000 5000 0 29 30 31 1 2 3 4 5 time, day in May-June, 2002, PDT. Sat=Jun.01 Figure 1: 9

  10. A week of update counts Can see weird spikes at midnight, local time 4 in the US, 3 in Asia, 2 in Europe Can see weekday, weekend patterns Can see that Asians work on the weekend Can see that Europeans and Asians get to work on time Largest observed: 1200 updates/sec (Nov.2002) 10

  11. Surge at midnight EDT. Mon 2002-07-29 500 400 updates per second 300 200 100 0 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 time, hours EDT Figure 2: 11

  12. A spike in detail Midnight US Eastern time Four-fold increase over about 2 minutes Spread is over about 6 minutes Clock skew, home users don’t run NTP We are very lucky they don’t 12

  13. Duration of source activity, D2 1 0.9 0.8 0.7 Updates cdf 0.6 0.5 0.4 0.3 0.2 0.1 0 0 100 200 300 400 500 600 Duration, hours Figure 3: 60% of updates are from permanently active sources 13

  14. Who is trying to update the roots? IP addresses of update sources, D1 updates per /16 1e+07 updates per /8 cable, DSL 1e+06 1e+05 #updates 10000 1000 100 10 1 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 First byte of IP address Figure 4: Hosts are behind DSL and Cable modem ISPs mostly Academy and medium-sized businesses (class B) are low 14

  15. Top 20 AS sources of RFC1918 updates AS Updates Percent Cumul. 4134 7329178 7.51 7.51 CHINALINK, China 3352 6166266 6.32 13.84 Ibernet (TDE), Spain 7132 4559748 4.67 18.51 SW Bell, US 5673 3271669 3.35 21.86 Pac Bell, US 5676 2936073 3.01 24.87 Pac Bell, US 4813 2765227 2.83 27.71 China Telecom Guandong 4812 2644362 2.71 30.42 China Telecom Shanghai 852 2176242 2.23 32.65 Telus, Canada 6128 2083593 2.14 34.79 Cablevision, US 2828 1855065 1.90 36.69 XO, US 11427 1753091 1.80 38.49 Road Runner, US 7843 1504131 1.54 40.03 Adelphia, US 4760 1413921 1.45 41.48 Netvigator, Hong Kong 2914 1393102 1.43 42.90 Verio, US 1221 1378306 1.41 44.32 Telstra, AU 11509 1226816 1.26 45.58 Pajo, US 15

  16. 4436 1142608 1.17 46.75 SantaCruz Community, US 11426 1135058 1.16 47.91 Road Runner, US 10994 1129898 1.16 49.07 Time Warner, US 2548 1091393 1.12 50.19 Business Internet, US 16

  17. Update properties Source contribution sizes, D1 Fraction of sources or updates 0.3 %sources %updates 1/2 sources, 3-4 upd 0.25 1/2 updates, 784 upd 0.2 0.15 0.1 0.05 0 1 10 100 1000 10000 1e+06 1e+05 Updates in a week (bins at 2^k) Figure 5: Mules, not mice or elephants send the bulk of updates 17

  18. Scaling of updates’ ccdf, D1 1 fraction of sources or updates 0.1 0.01 1e-3 1e-4 ccdf P(X>=x) 2^k bin contrib. 1e-5 x^(-0.45) 300/x^1.5 1e-6 1 10 100 1000 10000 1e+05 1e+06 #updates in a week (bins at 2^k) Figure 6: Mules’ prevalence causes two scalings in ccdf 18

  19. Interarrival times, D2 1 upd.fraction 0.1 ccdf P(>=X) update fraction or ccdf 0.01 exp(-x/8.5e-3) 0.001 1e-04 1e-05 1e-06 1e-07 1e-08 1e-09 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Interarrival time, sec Figure 7: Exponential interarrival times in the total stream 19

  20. Update rate distribution, D2 9 8 % updates % IPs %Updates or sources 7 6 5 4 3 2 1 0 0.001 0.01 0.1 1 10 100 1000 10000 Average rate, updates/hour Figure 8: Surprisingly, many sources are periodic 20

  21. Update periods, D1 0.4 Fraction of sources or updates sources 0.35 updates 0.3 0.25 0.2 0.15 0.1 0.05 0 0 10 20 30 40 50 60 70 80 90 100 Period, min Figure 9: Periods are 60 minutes or 75 minutes 21

  22. Can we blame Microsoft? Maybe Updates are periodic 75 minute one is 5+10+60 Try an update, get refused back Wait 5 minutes Try an update, get refused back Wait 10 minutes Try an update, get refused back Wait 60 minutes Repeat forever and ever Windows 2000 Server does that Observed in test lab: 16 packets sent to server per update 13 packets received At 1200 updates/sec, about 30 Kpps at one server 22

  23. More Microsoft Evidence Lots of hosts use ports in 1024-5000 range Win2k does that 44.3% of all updates are from that range 17 times more updates from port 5000 than 5001 23

  24. Need more info to determine who dunnit NOPE, it’s MICROSOFT Need to determine default behavior of DHCP server/client Does it renew/expire leases at midnight? YES, NETLOGON Does it default to dynamic updates? YES Does it update periodically with either 60 or 75 minute periods YES 24

  25. “By default, DNS records are re-registered dynamically and periodically every 24 hours by Windows 2000 Professional and every 1 hour by Windows 2000 Server and Windows 2000 Advanced Server.” 25

  26. “A statically configured client does not communicate with the DHCP server and dynamically updates A and PTR RRs every time it boots up, changes its IP address or per-adapter domain name” 26

  27. The update sequence consists of the following steps: 1. A client, using an SOA query, locates the primary DNS server and zone authoritative for the record to be registered. 2. The client sends to the located DNS server an as- sertion or prerequisite-only update to verify an ex- isting registration. If the registration does not exist, the client will send the appropriate dynamic update package to register the record. 3. If the update fails the client will attempt to reg- ister the record with another primary DNS server if the authoritative zone is multimaster. If all pri- mary DNS servers failed to process the dynamic update it will be repeated after 5 minutes and, if fails again, after another 10 minutes. If registration still failed, the described pattern of the registration attempts will be repeated after 50 minutes after the last retry. 1 1 This is probably a typo: our laboratory measurements revealed a delay of 60 minutes, not 50 minutes. 27

  28. Who else could it be? MacOS is not guilty, doesnt do dynamic updates at all UNIX maybe, but DHCP is off by default UNIX might be the small bump at 30 minute period Win2K by default does dynamic DNS updates to the clos- est enclosing domain If you are using 192.168/16 addresses Tries 168.192.in-addr.arpa, but If not configured, tries 192.in-addr.arpa, and If not configured, tries in-addr.arpa, and even arpa, but in-addr.arpa is served by the roots Now, referred to prisoner.iana.org anycast servers 6% root traffic are update SOA queries 28

  29. Conclusions The updates are sent by Microsoft This was almost like a DDoS attack on root servers Took a lot of community effort to organize defence: AS 112 dedicated blackhole servers reserved addresses Update-related traffic still reaches root servers Software vendors should keep infrastructure stable 29

Recommend

X-ray Photon Correlation Spectroscopy (XPCS) at Synchrotron and FEL sources Christian Gutt

X-ray Photon Correlation Spectroscopy (XPCS) at Synchrotron and FEL sources Christian Gutt

X-ray Photon Correlation Spectroscopy (XPCS) at Synchrotron and FEL sources Christian Gutt Department of Physics, University ofSiegen, Germany gutt@physik.uni-siegen.de Outline How to measure dynamics in condensedmatter systems

713 views • 56 slides
New perspectives for electron Volt neutron spectroscopy on inverse geometry instruments at pulsed

New perspectives for electron Volt neutron spectroscopy on inverse geometry instruments at pulsed

ICANS-XVI 16 th Meeting of the International Collaboration on Advanced Neutron Sources New perspectives for electron Volt neutron spectroscopy on inverse geometry instruments at pulsed sources Antonino Pietropaolo Universit degli studi di

318 views • 19 slides
Spectroscopy An introduction MENA3100,OBK, 24.01.18 Spectroscopy spectroscopy, n. The art of

Spectroscopy An introduction MENA3100,OBK, 24.01.18 Spectroscopy spectroscopy, n. The art of

Spectroscopy An introduction MENA3100,OBK, 24.01.18 Spectroscopy spectroscopy, n. The art of using the spectroscope; that branch of science which involves the use of the spectroscope. In mod. use, the investigation of spectra by any of various

744 views • 27 slides
CHEM 344 IR Spectroscopy 12.2 Physical Basis for IR Spectroscopy I nf r ared ( IR )

CHEM 344 IR Spectroscopy 12.2 Physical Basis for IR Spectroscopy I nf r ared ( IR )

CHEM 344 IR Spectroscopy 12.2 Physical Basis for IR Spectroscopy I nf r ared ( IR ) spectroscopy can be used to determine functional groups and bond strengths based upon molecular vibrations. Chemical bonds are not rigid, but in continuous

712 views • 22 slides
Centre for Biomolecular Spectroscopy BIOMOLECULAR SPECTROSCOPY The Centre for Biomolecular

Centre for Biomolecular Spectroscopy BIOMOLECULAR SPECTROSCOPY The Centre for Biomolecular

CENTRE FOR Centre for Biomolecular Spectroscopy BIOMOLECULAR SPECTROSCOPY The Centre for Biomolecular Spectroscopy aims to underpin basic medical science at Kings by providing state-of-the-art biophysical tools and expertise to the Kings

468 views • 30 slides
Infrared Spectroscopy & Circular Dichroism Haydyn Mertens PhD Infrared Spectroscopy

Infrared Spectroscopy & Circular Dichroism Haydyn Mertens PhD Infrared Spectroscopy

Infrared Spectroscopy & Circular Dichroism Haydyn Mertens PhD Infrared Spectroscopy Infrared Spectroscopy Electromagnetic spectrum: VIS med long-wave IR Short Gamma X-Ray UV IR microwaves radiowaves nm um mm m km Wavelength

646 views • 39 slides
Molecular Spectroscopy: Molecular Spectroscopy How are some molecular parameters

Molecular Spectroscopy: Molecular Spectroscopy How are some molecular parameters

Molecular Spectroscopy: Molecular Spectroscopy How are some molecular parameters determined? Bond lengths Bond energies What are the practical applications of spectroscopic knowledge? Can molecules (or components

437 views • 17 slides
RealCapital 2013 Session C2: Alternative Sources of Capital: How Are Mortgage Funds and Private

RealCapital 2013 Session C2: Alternative Sources of Capital: How Are Mortgage Funds and Private

2/27/2013 RealCapital 2013 Session C2: Alternative Sources of Capital: How Are Mortgage Funds and Private Equity Meeting the Needs of Investors and Borrowers Mortgage Funds and Private Equity Market Size Presented by Chris Brossard, CEO CMLS

663 views • 11 slides
Biophysical Chemistry: NMR Spectroscopy The Chemical Shift Lieven Buts Vrije Universiteit

Biophysical Chemistry: NMR Spectroscopy The Chemical Shift Lieven Buts Vrije Universiteit

General Principle Sources of Chemical Shifts Summary Biophysical Chemistry: NMR Spectroscopy The Chemical Shift Lieven Buts Vrije Universiteit Brussel 28th October 2011 Lieven Buts Biophysical Chemistry: NMR Spectroscopy General Principle

400 views • 26 slides
PRIVATE DUTY NURSING Update 2020 Private Duty Nursing Overview 1. Chapter 532 Policy Update 2.

PRIVATE DUTY NURSING Update 2020 Private Duty Nursing Overview 1. Chapter 532 Policy Update 2.

PRIVATE DUTY NURSING Update 2020 Private Duty Nursing Overview 1. Chapter 532 Policy Update 2. Non-covered Services 3. Maintenance Care 4. Caregiver 5. Documentation Requirements 6. Caregiver Education 7. Documentation to Increase Hours

172 views • 14 slides
2020-2021 PROPOSED BUDGET COVID 19 UPDATE 2 COVID REVENUE SOURCES COVID REVENUE SOURCES

2020-2021 PROPOSED BUDGET COVID 19 UPDATE 2 COVID REVENUE SOURCES COVID REVENUE SOURCES

2020-2021 PROPOSED BUDGET COVID 19 UPDATE 2 COVID REVENUE SOURCES COVID REVENUE SOURCES CARES/ESSER: CARES/ESSER: Elementary and Secondary School Emergency Relief Fund (ESSER) allocated to LEAs that received Title I, Part A funding

563 views • 27 slides
Infrared Spectroscopy Sample IR Spectrum: ! General Theory of IR Spectroscopy ! Overview of the IR

Infrared Spectroscopy Sample IR Spectrum: ! General Theory of IR Spectroscopy ! Overview of the IR

General Theory of IR Spectroscopy Infrared Spectroscopy Sample IR Spectrum: ! General Theory of IR Spectroscopy ! Overview of the IR spectrometer ! Signal Intensity in an IR Spectrum ! Location of Peaks in an IR Spectrum ! Guide to Analyzing an IR

1.96k views • 12 slides
MY FIRST STEPS IN SLIT SPECTROSCOPY BAAVSS Spectroscopy Workshop Norman Lockyer Observatory

MY FIRST STEPS IN SLIT SPECTROSCOPY BAAVSS Spectroscopy Workshop Norman Lockyer Observatory

MY FIRST STEPS IN SLIT SPECTROSCOPY BAAVSS Spectroscopy Workshop Norman Lockyer Observatory October 2015 Andrew Wilson Overview My choice of spectrograph, camera and telescope Getting started and basic processing Some of the

554 views • 40 slides
How we do Spectroscopy An Overview Robin Leadbeater www.threehillsobservatory.co.uk 1 HOW WE

How we do Spectroscopy An Overview Robin Leadbeater www.threehillsobservatory.co.uk 1 HOW WE

Spectroscopy Workshop N.L.O. 10 th October 2015 Download from dropbox at http://tinyurl.com/NLO-workshop How we do Spectroscopy An Overview Robin Leadbeater www.threehillsobservatory.co.uk 1 HOW WE DO SPECTROSCOPY OVERVIEW Project

726 views • 14 slides
1 Typical Spectroscopy Problem Given: C 10 H 12 O 3 and M + = 180.08 3H 1 H NMR (ppm) 3.36 (s,

1 Typical Spectroscopy Problem Given: C 10 H 12 O 3 and M + = 180.08 3H 1 H NMR (ppm) 3.36 (s,

Lecture 7 Spectroscopy; Organometallic Compounds Mass Spectrometry Summary of techniques Typical spectroscopy problems Types of organometallic compounds, nomenclature Electronegativity and carbon-metal bonds Preparation

172 views • 3 slides
Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other

Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other

14-1 Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other details, but we generally need way more info to fully determine a structure. Nuclear magnetic resonance (NMR) spectroscopy is a very powerful

438 views • 22 slides
Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other

Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other

14-1 Chapter 14: NMR Spectroscopy A. Introduction MS and IR can provide MW and a few other details, but we generally need way more info to fully determine a structure. Nuclear magnetic resonance (NMR) spectroscopy is a very powerful

675 views • 32 slides
NuSpIn Nuclear Spectroscopy Instrumentation Network the network for the gamma-spectroscopy and

NuSpIn Nuclear Spectroscopy Instrumentation Network the network for the gamma-spectroscopy and

NuSpIn Nuclear Spectroscopy Instrumentation Network the network for the gamma-spectroscopy and complementary-instrumentation community Promotion and Coordination of scientific and technological activities for frontline research Exchange of

830 views • 18 slides
Beta and particle decay spectroscopy at the Super FRS Zenon Janas Nuclear Spectroscopy

Beta and particle decay spectroscopy at the Super FRS Zenon Janas Nuclear Spectroscopy

Beta and particle decay spectroscopy at the Super FRS Zenon Janas Nuclear Spectroscopy Division Warsaw University Branches of the Super FRS High-Energy Branch H. Weick, M. Winkler Regions of interest heavy proton emitters

382 views • 11 slides
Sources Sources: Kinds of Sources Citizen witness Confidential informants Anonymous

Sources Sources: Kinds of Sources Citizen witness Confidential informants Anonymous

Search Warrants: Sources, Staleness, and Scope Jeff Welty UNC School of Government Sources Sources: Kinds of Sources Citizen witness Confidential informants Anonymous tipsters 1 Sources: Classification [I]n providing the tip

574 views • 9 slides
Production & Spectroscopy Production & Spectroscopy of Heavy Hadrons of Heavy Hadrons

Production & Spectroscopy Production & Spectroscopy of Heavy Hadrons of Heavy Hadrons

Production & Spectroscopy Production & Spectroscopy of Heavy Hadrons of Heavy Hadrons at the LHC at the LHC Hal Evans Indiana University for the ALICE, ATLAS, CMS, LHCb Collaborations Hadron2011, 13-17 June,

614 views • 44 slides
State Budget Update M ajor Sources 1 st Proposal Major Sources Increase Major

State Budget Update M ajor Sources 1 st Proposal Major Sources Increase Major

11/ 14/ 2013 Eric Bott Director of Environmental and Energy Policy Wisconsin Manufacturers & Commerce ebott@wmc.org T opical Overview State Policy Carbon SO2 Update NO2 Budget Recap Boiler M ACT Nonmetallic

545 views • 20 slides
LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update

LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update

LBBD Property Licensing Update Gary Jones Private Rented Property Licensing Enforcement Update September 2015. Private Rented Property Licensing Update To date there have been 10,000 applications received for private rented property

234 views • 10 slides
Molecular Spectroscopy 2 Christian Hill Joint ICTP-IAEA School on Atomic and Molecular

Molecular Spectroscopy 2 Christian Hill Joint ICTP-IAEA School on Atomic and Molecular

Molecular Spectroscopy 2 Christian Hill Joint ICTP-IAEA School on Atomic and Molecular Spectroscopy in Plasmas 6 10 May 2019 Trieste, Italy Vibrational spectroscopy Vibrational spectroscopy Vibrational spectroscopy Vibrational

1.03k views • 91 slides

More recommend