short-paper

Open access

FlowDNS: correlating netflow and DNS streams at scale

Authors:

Aniss Maghsoudlou,

Anja FeldmannAuthors Info & Claims

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

Pages 187 - 195

https://doi.org/10.1145/3555050.3569135

Published: 30 November 2022 Publication History

Abstract

Knowing customer's interests, e.g. which Video-On-Demand (VoD) or Social Network services they are using, helps telecommunication companies with better network planning to enhance the performance exactly where the customer's interests lie, and also offer the customers relevant commercial packages. However, with the increasing deployment of CDNs by different services, identification, and attribution of the traffic on network-layer information alone becomes a challenge: If multiple services are using the same CDN provider, they cannot be easily distinguished based on IP prefixes alone. Therefore, it is crucial to go beyond pure network-layer information for traffic attribution.

In this work, we leverage real-time DNS responses gathered by the clients' default DNS resolvers. Having these DNS responses and correlating them with network-layer headers, we are able to translate CDN-hosted domains to the actual services they belong to. We design a correlation system for this purpose and deploy it at a large European ISP. With our system, we can correlate an average of 81.7% of the traffic with the corresponding services, without any loss on our live data streams. Our correlation results also show that 0.5% of the daily traffic contains malformatted, spamming, or phishing domain names. Moreover, ISPs can correlate the results with their BGP information to find more details about the origin and destination of the traffic. We plan to publish our correlation software for other researchers or network operators to use.

References

[1]

Sara Afzal, Muhammad Asim, Abdul Rehman Javed, Mirza Omer Beg, and Thar Baker. 2021. Urldeepdetect: A deep learning approach for detecting malicious urls using semantic vector models. Journal of Network and Systems Management 29, 3 (2021), 1--27.

Digital Library

[2]

Paul Aitken, Benoît Claise, and Brian Trammell. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. RFC 7011.

Digital Library

[3]

Ali AlSabeh, Elie Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2022. P4DDPI: Securing P4-Programmable Data Plane Networks via DNS Deep Packet Inspection. In Proceedings of the 2022 Network and Distributed System Security (NDSS) Symposium. 1--7.

[4]

Zhouyu Bao, Wenbo Wang, and Yuqing Lan. 2019. Using Passive DNS to Detect Malicious Domain Name. In Proceedings of the 3rd International Conference on Vision, Image and Signal Processing (Vancouver, BC, Canada) (ICVISP 2019). Association for Computing Machinery, New York, NY, USA, Article 85, 8 pages.

Digital Library

[5]

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. Exposure: Finding malicious domains using passive DNS analysis. In The Network and Distributed System Security (NDSS) Symposium. 1--17.

[6]

Xunxun Chen, Gaochao Li, Yongzheng Zhang, Xiao Wu, and Changbo Tian. 2019. A Deep Learning Based Fast-Flux and CDN Domain Names Recognition Method. In Proceedings of the 2019 2nd International Conference on Information Science and Systems (Tokyo, Japan) (ICISS 2019). Association for Computing Machinery, New York, NY, USA, 54--59.

Digital Library

[7]

Cisco. 2021. Cisco IOS NetFlow. https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.

[8]

B. Claise (Ed.). 2004. Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational).

Digital Library

[9]

Sean Donovan and Nick Feamster. 2014. Intentional network monitoring: Finding the needle without capturing the haystack. In Proceedings of the 13th ACM Workshop on Hot Topics in Networks. 1--7.

Digital Library

[10]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring {HTTPS} adoption on the web. In 26th USENIX Security Symposium (USENIX Security 17). 1323--1338.

[11]

Digineo GmbH. 2022. Public DNS Server List. https://public-dns.info/ Accessed: 2022-10-05.

[12]

Jason Kim, Hyojoon Kim, and Jennifer Rexford. 2021. Analyzing traffic by domain name in the data plane. In Proceedings of the ACM SIGCOMM Symposium on SDN Research (SOSR). 1--12.

Digital Library

[13]

Hailing Li, Longtao He, Hui Zhang, Kai Zhang, Xiaoqian Li, and Chenghai He. 2020. CDN-Hosted Domain Detection with Supervised Machine Learning through DNS Records. In Proceedings of the 2020 The 3rd International Conference on Information Science and System (Cambridge, United Kingdom) (ICISS 2020). Association for Computing Machinery, New York, NY, USA, 144--149.

Digital Library

[14]

A. Maghsoudlou. 2022. FlowDNS: Correlating Netflow and DNS Streams at Scale. https://github.com/maganiss/FlowDNS Accessed: 2022-10-24.

[15]

P. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. RFC Editor. 1--55 pages. https://www.ietf.org/rfc/rfc1034.txt

[16]

P. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. RFC Editor. 1--55 pages. https://www.ietf.org/rfc/rfc1035.txt

[17]

Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt, and Wes Hardaker. 2019. Cache Me If You Can: Effects of DNS Time-to-Live. In Proceedings of the Internet Measurement Conference (Amsterdam, Netherlands) (IMC '19). Association for Computing Machinery, New York, NY, USA, 101--115.

Digital Library

[18]

Orcaman. 2022. A Thread-Safe Concurrent Map for Go. https://github.com/orcaman/concurrent-map Accessed: 2022-10-16.

[19]

Ramakrishna Padmanabhan, John P Rula, Philipp Richter, Stephen D Strowes, and Alberto Dainotti. 2020. DynamIPs: analyzing address assignment practices in IPv4 and IPv6. In Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies. 55--70.

Digital Library

[20]

Gopinath Palaniappan, Sangeetha S, Balaji Rajendran, Sanjay, Shubham Goyal, and Bindhumadhava B S. 2020. Malicious Domain Detection Using Machine Learning On Domain Name Features, Host-Based Features and Web-Based Features. Procedia Computer Science 171 (2020), 654--661. Third International Conference on Computing and Network Communications (CoCoNet'19).

[21]

Roberto Perdisci, Thomas Papastergiou, Omar Alrawi, and Manos Antonakakis. 2020. Iotfinder: Efficient large-scale identification of iot devices via passive dns traffic analysis. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, 474--489.

[22]

Sivaramakrishnan Ramanathan, Anushah Hossain, Jelena Mirkovic, Minlan Yu, and Sadia Afroz. 2020. Quantifying the Impact of Blocklisting in the Age of Address Reuse. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 360--369.

Digital Library

[23]

Audrey Randall, Enze Liu, Gautam Akiwate, Ramakrishna Padmanabhan, Geoffrey M Voelker, Stefan Savage, and Aaron Schulman. 2020. Trufflehunter: cache snooping rare domains at large public DNS resolvers. In Proceedings of the ACM Internet Measurement Conference. 50--64.

Digital Library

[24]

Ernie Regalado. 2014. The Multi-CDN Strategy. https://www.bizety.com/2014/05/09/multi-cdn-strategy/ Accessed: 2022-06-27.

[25]

Spamhaus Project. 2022. Spamhaus DBL. https://www.spamhaus.org/dbl/.

[26]

Xiaoqing Sun, Mingkai Tong, Jiahai Yang, Liu Xinran, and Liu Heng. 2019. Hin-Dom: A Robust Malicious Domain Detection System based on Heterogeneous Information Network with Transductive Classification. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). USENIX Association, Chaoyang District, Beijing, 399--412. https://www.usenix.org/conference/raid2019/presentation/sun

[27]

Hiroaki Suzuki, Daiki Chiba, Yoshiro Yoneya, Tatsuya Mori, and Shigeki Goto. 2019. ShamFinder: An Automated Framework for Detecting IDN Homographs. In Proceedings of the Internet Measurement Conference (Amsterdam, Netherlands) (IMC '19). Association for Computing Machinery, New York, NY, USA, 449--462.

Digital Library

[28]

Pelayo Vallina, Victor Le Pochat, Álvaro Feal, Marius Paraschiv, Julien Gamba, Tim Burke, Oliver Hohlfeld, Juan Tapiador, and Narseo Vallina-Rodriguez. 2020. Mis-Shapes, Mistakes, Misfits: An Analysis of Domain Classification Services. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC '20). Association for Computing Machinery, New York, NY, USA, 598--618.

Digital Library

[29]

Sandeep Yadav, Ashwath Kumar Krishna Reddy, A.L. Narasimha Reddy, and Supranamaya Ranjan. 2010. Detecting Algorithmically Generated Malicious Domain Names. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (Melbourne, Australia) (IMC '10). Association for Computing Machinery, New York, NY, USA, 48--61.

Digital Library

[30]

Ramin Yazdani, Olivier van der Toorn, and Anna Sperotto. 2020. A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW). 559--564.

[31]

Zicong Zhu, Tran Phuong Thao, Hoang-Quoc Nguyen-Son, Rie Shigetomi Yamaguchi, and Toshiyuki Nakata. 2020. Enhancing A New Classification for IDN Homograph Attack Detection. In 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing. 507--514.

Cited By

Li JLin ZMa XLi JQu JLuo XGuan X(2024)DNSScope: Fine-Grained DNS Cache Probing for Remote Network Activity CharacterizationIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621277(1651-1660)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621277
Maghsoudlou AVermeulen LPoese IGasser O(2023)Characterizing the VPN Ecosystem in the WildPassive and Active Measurement10.1007/978-3-031-28486-1_2(18-45)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_2

Index Terms

FlowDNS: correlating netflow and DNS streams at scale
1. General and reference
  1. Cross-computing tools and techniques
2. Networks
  1. Network services
    1. Network management
    2. Network monitoring
  2. Network types

Index terms have been assigned to the content through auto-classification.

Recommendations

Enabling novel premium service classes in DiffServ over MPLS-enabled network

Network resources dimensioning and traffic engineering influence the quality in provisioned services required by the Expedited Forwarding (EF) traffic in production networks established through DiffServ over MPLS-enabled network. By modeling EF traffic ...
Traffic shaping and bandwidth allocation algorithms for vbr traffic
FIAC: a resource discovery-based two-level admission control for differentiated service networks

Differentiated Service (DiffServ) architecture has been proposed as a scalable QoS architecture for Internet. DiffServ, however, could not control its loads under heavy traffic conditions, and it could not provide strong QoS responses for individual ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

November 2022

431 pages

ISBN:9781450395083

DOI:10.1145/3555050

General Chairs:
Giuseppe Bianchi
University of Rome Tor Vergata, Italy
,
Alessandro Mei
Sapienza University of Rome, Italy

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 November 2022

Check for updates

Qualifiers

Short-paper

Conference

CoNEXT '22

Sponsor:

SIGCOMM

CoNEXT '22: The 18th International Conference on emerging Networking EXperiments and Technologies

December 6 - 9, 2022

Roma, Italy

Acceptance Rates

CoNEXT '22 Paper Acceptance Rate 28 of 151 submissions, 19%;

Overall Acceptance Rate 198 of 789 submissions, 25%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
468
Total Downloads

Downloads (Last 12 months)215
Downloads (Last 6 weeks)23

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li JLin ZMa XLi JQu JLuo XGuan X(2024)DNSScope: Fine-Grained DNS Cache Probing for Remote Network Activity CharacterizationIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621277(1651-1660)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621277
Maghsoudlou AVermeulen LPoese IGasser O(2023)Characterizing the VPN Ecosystem in the WildPassive and Active Measurement10.1007/978-3-031-28486-1_2(18-45)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_2

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents