Impact of DNS fixing on traffic
July 26th, 2008by Supranamaya Ranjan
In my last blog post, I had provided a preliminary analysis showing how the DNS resolvers had caused an uptick in the amount of DNS traffic they were sending towards a set of DNS servers that NarusInsight Secure Suite (NSS) monitors. Since that time, the DNS exploit was released in the wild and hence I got curious to see how fast are organizations patching their systems.
Figure 1: Aggregate volume of anomalous traffic patterns seen on DNS traffic
The figure above shows the aggregate volume of anomalous traffic patterns that NSS saw on DNS traffic. We define an anomalous activity as one where either the volume of traffic going towards an ip-address increases suddenly or the behavior of traffic (e.g., in terms of number of sources contacting a destination ip-address, etc) changes suddenly. Thus, since most of the resolvers had patches applied in a co-ordinated manner, they sent traffic towards destination DNS servers at the same time- and NSS classifies them as anomalous traffic patterns as compared to the historical past baselines, the traffic volume as well as behavior to these DNS servers had changed.
From the above figure, it seems that the biggest amount of patches were applied in the June 9 - 10 timeframe and then sporadically on June 18, 21, 23 and 26. So the biggest amount of cache resets definitely occurred at the very beginning of the announcement and hence from our view via NSS, we believe the vast majority of patches were applied at the earliest announcement on June 9th.
Interestingly, the total amount of DNS traffic (as measured on a per-day basis) passing the NSS probes didn’t exhibit any significant changes (see the figure below). Though the total amount of DNS traffic on a day-by-day basis didn’t change, there were surges that occurred on a minute-level granularity (which is what the first figure refers to). In other words, the patched resolvers which had in co-ordination sent query traffic towards certain DNS servers, didn’t need to send more traffic afterwards as the responses were already cached.
