Domain Name System monitoring, resilience and
security: state of the
Stephane Bortzmeyer, AFNIC
The DNS (Domain Name System) is a critical
infrastructure of the
Internet. If it is down, almost nothing works, as if the Internet
itself is down. If it slows down, almost every Internet activity is
affected. But the DNS faces many challenges: increased use, buggy
software and of course denial of service attacks. Sometimes, the DNS
is even used to make these attacks.
The actors of the DNS measure the DNS, test it,
monitor it and deploy
counter-measures to attack. What do they do exactly? What is the state
of art regarding DNS monitoring, resilience and security?
We will cover the following points:
- state of the art of attacks against the DNS
- asserting the resilience of the DNS: automatic tests and surveys
- counter-measures against attacks: rate-limiting, filtering and risks of the counter-measures
About the Speaker::
Stéphane Bortzmeyer works at AFNIC Labs, the research and development arm of AFNIC (the .fr registry). He is involved in security, statistics and monitoring. He wrote several articles on DNS measurements such as DNS censorship lies seen by Atlas probes, Persée et la Gorgone : attaques par déni de service utilisant le DNS, et les contre-mesures, or Using RIPE Atlas User Defined Measurements to Find the Most Popular Instances of a DNS Anycast Name Server. He is an active IETF participant, author of RFC 7626 "DNS Privacy Considerations" and one of the persons working on the DNS privacy project.
Towards 100 Gbit Flow-Based Network Monitoring
Luca Deri, NTOP and Registro.it,
Monitoring a 100-Gbit network is a challenging
activity, both in
terms of packets per second and number of concurrent flows. Although
computing performance has greatly increased over the past few years, it
is not easy to adapt existing 10-Gbit probes' design at 100 Gbit.
demand of DPI-based traffic classification, as well the ability to
combine on the same physical box both a flow-based probe and additional
applications (e.g., an IDS), makes this task even more challenging. It
is challenging because network administrators often combine network
visibility with in-depth analysis of selected traffic flows (e.g.,
produced by compromised hosts or critical network resources).
presentation covers the design and implementation of a new generation
of network sensors able to cope with monitoring challenges that arose
with the advent of 100-Gbit networks. The need to combine traffic
visibility with selected packet introspection changed the concept of
what a traditional network probe is doing. The need to produce flow
records for all traffic while selectively analysing a portion of it,
flow/application-based packet shunting, line-rate selective packet
introspection via micro-DPI, exploit of modern FPGA-based NICs are just
a few challenges that this new generation of sensors has to address.
The result is the ability to combine onto a single box functionalities that are often implemented with multiple servers, thus saving money on costly high-speed network adapters and reducing the number of monitoring components.
About the Speaker::
Luca Deri is the leader of the ntop project, which is aimed at developing an open-source monitoring platform for high-speed traffic analysis. He shares his time between the ntop project, the Italian DNS Registry (Registro.it), and the University of Pisa where he has been appointed as a lecturer at the Computer Science Department. He worked for the University College of London and IBM Research prior to his PhD. He is well known in the open-source and Linux community as well as in industry. He serves as a member of the technical advisory board of several leading companies. He received his PhD at the University of Berne with a thesis about software components for traffic monitoring applications.