7th International Workshop on
TRaffic Analysis and Characterization

September 5-9, 2016
Paphos, Cyprus

Technically Sponsored by



Domain Name System monitoring, resilience and security: state of the DNS
Stephane Bortzmeyer, AFNIC Labs, France.


The DNS (Domain Name System) is a critical infrastructure of the Internet. If it is down, almost nothing works, as if the Internet itself is down. If it slows down, almost every Internet activity is affected. But the DNS faces many challenges: increased use, buggy software and of course denial of service attacks. Sometimes, the DNS is even used to make these attacks.

The actors of the DNS measure the DNS, test it, monitor it and deploy counter-measures to attack. What do they do exactly? What is the state of art regarding DNS monitoring, resilience and security?

We will cover the following points:

About the Speaker::

Stéphane Bortzmeyer works at AFNIC Labs, the research and development arm of AFNIC (the .fr registry). He is involved in security, statistics and monitoring. He wrote several articles on DNS measurements such as DNS censorship lies seen by Atlas probes, Persée et la Gorgone : attaques par déni de service utilisant le DNS, et les contre-mesures, or Using RIPE Atlas User Defined Measurements to Find the Most Popular Instances of a DNS Anycast Name Server. He is an active IETF participant, author of RFC 7626 "DNS Privacy Considerations" and one of the persons working on the DNS privacy project.

Towards 100 Gbit Flow-Based Network Monitoring
Luca Deri, NTOP and Registro.it, Italy.


Monitoring a 100-Gbit network is a challenging activity, both in terms of packets per second and number of concurrent flows. Although computing performance has greatly increased over the past few years, it is not easy to adapt existing 10-Gbit probes' design at 100 Gbit.

The demand of DPI-based traffic classification, as well the ability to combine on the same physical box both a flow-based probe and additional applications (e.g., an IDS), makes this task even more challenging. It is challenging because network administrators often combine network visibility with in-depth analysis of selected traffic flows (e.g., produced by compromised hosts or critical network resources).

This presentation covers the design and implementation of a new generation of network sensors able to cope with monitoring challenges that arose with the advent of 100-Gbit networks. The need to combine traffic visibility with selected packet introspection changed the concept of what a traditional network probe is doing. The need to produce flow records for all traffic while selectively analysing a portion of it, flow/application-based packet shunting, line-rate selective packet introspection via micro-DPI, exploit of modern FPGA-based NICs are just a few challenges that this new generation of sensors has to address.

The result is the ability to combine onto a single box functionalities that are often implemented with multiple servers, thus saving money on costly high-speed network adapters and reducing the number of monitoring components.

About the Speaker::

Luca Deri is the leader of the ntop project, which is aimed at developing an open-source monitoring platform for high-speed traffic analysis. He shares his time between the ntop project, the Italian DNS Registry (Registro.it), and the University of Pisa where he has been appointed as a lecturer at the Computer Science Department. He worked for the University College of London and IBM Research prior to his PhD. He is well known in the open-source and Linux community as well as in industry. He serves as a member of the technical advisory board of several leading companies. He received his PhD at the University of Berne with a thesis about software components for traffic monitoring applications.