reblogging: the diurnal Internet and DNS backscatter

We are happy to share that two of our older topics have appeared more recently in other venues.

Our animations of the diurnal Internet, originally seen in our 2014 ACM IMC paper and our blog posts, was noticed by Gerald Smith who used it to start a discussion with seventh-grade classes in Mahe, India and (I think) Indiana, USA as part of his Fullbright work. It’s great to see research work that useful to middle-schoolers!

Kensuke Fukuda recently posted about our work on identifying IPv6 scanning with DNS backscatter at the APNIC blog. This work was originally published at the 2018 ACM IMC and posted in our blog. It’s great to see that work get out to a new audience.

Collaborations Social

thanks to visiting scholar Kensuke Fukuda (again!)

We would like to thank Kensuke Fukuda for joining us as a visiting scholar from April 2017 to February 2018.  This visit was his second to our group, and it was great having Fukuda-san back with us while he continues his work with  the National Institute of Informatics in Japan.

Kensuke’s first visit resulted in it development of DNS backscatter, a new technique that can detect scanners and spammers in IPv4.  On this visit he worked with us to understand how to adapt DNS backscatter to IPv6.  A paper about this work appears at ACM IMC 2018.

We had a going away lunch with Kensuke, his family, and part of the ANT lab in February 2018.  Because it was during the regular week, several lab members were unable to attend.

The going-away lunch for Kensuke Fukuda (on the left), with members of the ANT lab, celebrating his time here as a visiting scholar.
The going-away lunch for Kensuke Fukuda (on the left), with members of the ANT lab, celebrating his time here as a visiting scholar.

Papers Publications

new conference paper “Who Knocks at the IPv6 Door? Detecting IPv6 Scanning” at ACM IMC 2018

We have published a new paper “Who Knocks at the IPv6 Door? Detecting IPv6 Scanning” by Kensuke Fukuda and John Heidemann, in the ACM Internet Measurements Conference (IMC 2018) in Boston, Mass., USA.

DNS backscatter from IPv4 and IPv6 ([Fukuda18a], figure 1).
From the abstract:

DNS backscatter detects internet-wide activity by looking for common reverse DNS lookups at authoritative DNS servers that are high in the DNS hierarchy. Both DNS backscatter and monitoring unused address space (darknets or network telescopes) can detect scanning in IPv4, but with IPv6’s vastly larger address space, darknets become much less effective. This paper shows how to adapt DNS backscatter to IPv6. IPv6 requires new classification rules, but these reveal large network services, from cloud providers and CDNs to specific services such as NTP and mail. DNS backscatter also identifies router interfaces suggesting traceroute-based topology studies. We identify 16 scanners per week from DNS backscatter using observations from the B-root DNS server, with confirmation from backbone traffic observations or blacklists. After eliminating benign services, we classify another 95 originators in DNS backscatter as potential abuse. Our work also confirms that IPv6 appears to be less carefully monitored than IPv4.