The Internet has witnessed a steady rise in malicious traffic including DDoS and worm attacks. In this paper, we study the effect of malicious traffic on the background traffic by analyzing recent traces from two different locations. We show that malicious traffic causes an increase in the average DNS latency by 230% and an increase in the average web latency by 30% even on highly over-provisio...

Review: Anycast-Aware Transport for Content Delivery Networks Published at the most recent WWW conference (WWW ’09), “Anycast-Aware Transport for Content Delivery Networks” attempts to address several challenges in utilizing IP anycast as a redirection mechanism for content delivery networks (CDNs). Typically, DNS is used by CDNs to automatically distribute load to the most appropriate edge-ser...

This practitioner paper provides an introduction to investigating IPv6 networks and systems. IPv6 addressing, packet structure, and supporting protocols are explained. Collecting information from IPv6 registries and databases such as Whois and DNS is demonstrated. Basic concepts and methods relevant for digital forensic investigators are highlighted, including the forensic analysis of IPv6 enab...

Fast Flux Service Networks (FFSN) apply high availability server techniques to the business of malware distribution. FFSNs are similar to commercial content distribution networks (CDN), such as Akamai, in terms of size, scope, and business model, serving as an outsourced content delivery service for clients. Using an analysis of DNS traffic, we derive a sequential hypothesis-testing algorithm b...

Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three ...

On or about August 25 2013, the name servers supporting the country code Top Level Domain (ccTLD) “.cn” were attacked and brought offline[2, 6–8, 11]. As local DNS caches expired, this attack eventually affected the internet traffic of most users attempting to reach Chinese websites because the authoritative DNS servers for those sites ceased working. While the attack itself was widely reported...

Most networks are connected to the Internet through firewalls to block attacks from the outside and to limit communication initiated from the inside. Because of the limited, supposedly safe functionality of the Domain Name System protocol, its traffic is by and large neglected by firewalls. The resulting possibility for setting up information channels through DNS tunnels is already known, but a...

Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognizing automatically generated domains (AGDs) from DNS traffic, which potentially allows to identify previously unknown AGDs to hinder or disrupt botnets’ communication capabilities. The state-of-the-art approaches require to deploy low-level DNS sensors ...

An edge network deployment consists of many (tens to a few hundred) satellite data centers. To optimize enduser perceived performance, a Global Traffic Management (GTM) solution needs to continuously monitor the performance between the users and the data centers, in order to dynamically select the “best” data center for each user. Though widely adopted in practice, GTM solutions based on active...

During November 2013, the operational cyber/network security community reported an unprecedented increase of traffic originating from source port 0. This event was deemed as malicious although its core aim and mechanism were obscured. This paper investigates that event using a multifaceted approach that leverages three real network security feeds that we receive on a daily basis, namely, darkne...