论文信息 - Inferring Popularity of Domain Names with DNS Traffic: Exploiting Cache Timeout Heuristics

Inferring Popularity of Domain Names with DNS Traffic: Exploiting Cache Timeout Heuristics

Popularity ranking of Internet services is an important metric for network operators, because it enables mid- to-long term planning of their network facilities and root cause analysis for unexpected traffic. The service-oriented traffic monitoring is much helpful to infer the popularity, hence it has been gathering much attention from both researchers and practitioners. Lately, service identification of a given flow has become very difficult due to the rapid growth of CDNs and/or encrypted traffic, while some research works employed preceding DNS traffic as a hint. However, because of its cache mechanism, the DNS message count deviates from the actual number of flows, which can greatly degrade the ranking reliability. We propose a theoretical model for inferring the user's number of accesses per domain name by exploiting the characteristics of the DNS message count. To the best of our knowledge, this paper is the first attempt to formulate the effect of user's stub resolvers; previous studies were focused on analyzing the effect of cache servers. We evaluated the precision of our model with a real dataset of traffic of thousands of users. By analyzing the top-50 domain names by the number of users, we can infer the number of flows within a 24% error rate on average in 42 out of 50 FQDNs.

[1] Masayuki Murata,et al. Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[2] Shigeki Goto,et al. SFMap: Inferring Services over Encrypted Web Flows Using Dynamical Domain Name Graphs , 2015, TMA.

[3] Paul V. Mockapetris,et al. Domain names - implementation and specification , 1987, RFC.

[4] Jin Cao,et al. Internet Traffic Tends Toward Poisson and Independent as the Load Increases , 2003 .

[5] Sally Floyd,et al. Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[6] Craig E. Wills,et al. Inferring relative popularity of internet applications by actively querying DNS caches , 2003, IMC '03.

[7] Christian Callegari,et al. DNS-Class: immediate classification of IP flows using DNS , 2014, Int. J. Netw. Manag..

[8] Niels Provos,et al. Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing , 2010, TOIT.

[9] Shoichiro Asano,et al. Detection Accuracy of Network Anomalies Using Sampled Flow Statistics , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[10] Robert Tappan Morris,et al. DNS performance and the effectiveness of caching , 2001, IMW '01.

[11] Marco Mellia,et al. DNS to the rescue: discerning content and services in a tangled web , 2012, IMC '12.