Botnet Detection by Monitoring Group Activities in DNS Traffic
CIT '07 Proceedings of the 7th IEEE International Conference on Computer and Information Technology
Context-aware clustering of DNS query traffic
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Measuring and evaluating large-scale CDNs Paper withdrawn at Mirosoft's request
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Drafting behind Akamai: inferring network conditions based on CDN redirections
IEEE/ACM Transactions on Networking (TON)
Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Measuring a commercial content delivery network
Proceedings of the 20th international conference on World wide web
An empirical study of the performance, security and privacy implications of domain name prefetching
DSN '11 Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Uncovering the big players of the web
TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
Inside dropbox: understanding personal cloud storage services
Proceedings of the 2012 ACM conference on Internet measurement conference
The anatomy of LDNS clusters: findings and implications for web content delivery
Proceedings of the 22nd international conference on World Wide Web
On the benefits of using a large IXP as an internet vantage point
Proceedings of the 2013 conference on Internet measurement conference
Hi-index | 0.00 |
A careful perusal of the Internet evolution reveals two major trends - explosion of cloud-based services and video streaming applications. In both of the above cases, the owner (e.g., CNN, YouTube, or Zynga) of the content and the organization serving it (e.g., Akamai, Limelight, or Amazon EC2) are decoupled, thus making it harder to understand the association between the content, owner, and the host where the content resides. This has created a tangled world wide web that is very hard to unwind, impairing ISPs' and network administrators' capabilities to control the traffic flowing in their networks. In this paper, we present DN-Hunter, a system that leverages the information provided by DNS traffic to discern the tangle. Parsing through DNS queries, DN-Hunter tags traffic flows with the associated domain name. This association has several applications and reveals a large amount of useful information: (i) Provides a fine-grained traffic visibility even when the traffic is encrypted (i.e., TLS/SSL flows), thus enabling more effective policy controls,(ii) Identifies flows even before the flows begin, thus providing superior network management capabilities to administrators, $(iii)$ Understand and track (over time) different CDNs and cloud providers that host content for a particular resource, (iv) Discern all the services/content hosted by a given CDN or cloud provider in a particular geography and time interval, and (v) Provides insights into all applications/services running on any given layer-4 port number. We conduct extensive experimental analysis and show results from real traffic traces (including FTTH and 4G ISPs) that support our hypothesis. Simply put, the information provided by DNS traffic is one of the key components required for understanding the tangled web, and bringing the ability to effectively manage network traffic back to the operators.