skip to main content
research-article

Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing

Published:01 October 2010Publication History
Skip Abstract Section

Abstract

Reliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean too much in favor of functional requirements over protecting the privacy of users. For example, the most prominent proposals for measuring the relative popularity of a Web site depend on the deployment of client-side measurement agents that are generally perceived as infringing on users’ privacy, thereby limiting their wide-scale adoption. Moreover, the client-side nature of these techniques also makes them susceptible to various manipulation tactics that undermine the integrity of their results. In this article, we propose a new estimation technique that uses DNS cache probing to infer the density of clients accessing a given service. Compared to earlier techniques, our scheme is less invasive as it does not reveal user-specific traits, and is more robust against manipulation. We demonstrate the flexibility of our approach through two important security applications. First, we illustrate how our scheme can be used as a lightweight technique for measuring and verifying the relative popularity rank of different Web sites. Second, using data from several hundred botnets, we apply our technique to indirectly measure the infected population of this increasing Internet phenomenon.

References

  1. Anupam, V., Mayer, A., Nissim, K., Pinkas, B., and Reiter, M. K. 1999. On the security of pay-per-click and other Web advertising schemes. In Proceeding of the 8th International Conference on World Wide Web (WWW’99). Elsevier North-Holland, Inc., 1091--1100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., and Watson, D. 2005. Internet motion sensor: A distributed blackhole monitoring system. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  3. Bellovin, S. M. 2002. A technique for counting NATted hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement (IMW). 267--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bethencourt, J., Franklin, J.,, and Vernon, M. 2005. Mang Internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium. 193--212. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Blundo, C. and Cimato, S. 2002. SAWM: A tool for secure and authenticated Web metering. In Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering (SEKE’02). ACM Press, New York, 641--648. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Casado, M. and Freedman, M. 2007. Peering through the shroud: The effect of edge opacity on IP-based client authentication. In Proceedings of 4th USENIX Symposium on Networked Systems Design and Implementation (NDSI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Casado, M., Garfinkel, T., Cui, W., Paxson, V., and Savage, S. 2005. Ortunistic measurement: Extracting insight from spurious traffic. In Proceedings of the 4th ACM Workshop on Hot Topics in Networks (HotNets-IV).Google ScholarGoogle Scholar
  8. Chen, Z. and Ji, C. 2005. A self-learning worm using importance scanning. In Proceedings of the ACM Workshop On Rapid Malcode (WORM). Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Cooke, E., Jahanian, F., and McPherson, D. 2005. The zombie roundup: Understanding, detecting, and disturbing botnets. In Proceedings of the 1st Workshop on Steps to Reducing Unwanted Traffic on the Internet. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Dagon, D., Lee, C., and Lee, W. 2008. Corrupted DNS resolution paths: The rise of a malicious resolution authority. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).Google ScholarGoogle Scholar
  11. Dagon, D., Zou, C., and Lee, W. 2006. Modeling botnet propagation using time zones. In Proceedings of the 13th Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  12. Daswani, N., Stolman, M., the Google Click Quality, and Teams, S. 2007. The anatomy of Clickbot.A. In Proceedings of the 1st USENIX Workshop on Hot Topics in Botnets (HotBots’07). Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. DNS-snoop. DNS Cache Snooping or Snooping the Cache for Fun and Profit. http://www.sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf.Google ScholarGoogle Scholar
  14. FBI. 2006. FBI computer crime survey. http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm.Google ScholarGoogle Scholar
  15. FBI. 2007. FBI botnet cyber crime report. http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm.Google ScholarGoogle Scholar
  16. Franklin, J., Paxson, V., Perrig, A., and Savage, S. 2007. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 375--388. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Franklin, M. K. and Malkhi, D. 1997. Auditable metering with lightweight security. In Financial Cryptography. 151--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Freiling, F., Holz, T., and Wicherski, G. 2005. Botnet tracking: Exploring a root-cause methodology to prevent denial-of-service attacks. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS’05). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. GreyMagic. 2002. Exploiting the Google toolbar. http://www.greymagic.com/security/advisories/gm001-mc/.Google ScholarGoogle Scholar
  20. Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium. 167--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Honeynet. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google ScholarGoogle Scholar
  22. IP2Location. Bringing geography to the Internet. http://www.ip2location.com/.Google ScholarGoogle Scholar
  23. Jung, J., Burger, A., and Balakrishnan, H. 2003. Modeling TTL-based Internet caches. In Proceedings of the IEEE INFOCOMM.Google ScholarGoogle Scholar
  24. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York, 3--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Measurement Factory 2009. The Measurement Factory DNS Survey. http://dns.measurement-factory.com/surveys/200910.html.Google ScholarGoogle Scholar
  26. Metwally, A., Agrawal, D., Abbad, A. E., and Zheng, Q. 2007. On hit inflation techniques and detection in streams of Web advertising networks. In Proceedings of the 27th International Conference on Distributed Computing Systems (ICDCS’07). IEEE Computer Society, Los Alamitos, CA, 52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Moore, D. 2002. Network telescopes: Observing small or distant security events. In Proceedings of the 11th USENIX Security Symposium.Google ScholarGoogle Scholar
  28. Naor, M. and Pinkas, B. 1998. Secure and efficient metering. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 1403, 576--591.Google ScholarGoogle ScholarCross RefCross Ref
  29. Naraine, R. 2007. Unpatched Google toolbar flaw presents ID theft risk. http://www.eweek.com/c/a/Security/Unpatched-Google-Toolbar-Flaw-Presents-ID-Theft-Risk/.Google ScholarGoogle Scholar
  30. Ntoulas, A., Cho, J., and Olston, C. 2004. What’s new on the Web? The evolution of the Web from a search engine perspective. In Proceedings of the 13th International World Wide Web Conference (WWW). 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Paxson, V. and Floyd, S. 1995. Wide-area traffic: The failure of poisson modeling. IEEE/ACM Trans. Network. 3, 226--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Rajab, M. A., Monrose, F., and Terzis, A. 2006. Fast and evasive attacks: Highlighting the challenges ahead. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID). 206--225. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Rajab, M. A., Monrose, F., Terzis, A., and Provos, N. 2008. Peeking through the cloud. In Proceedings of the 6th Applied Cryptography and Network Security Conference.Google ScholarGoogle Scholar
  34. Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the ACM SIGCOMM/USENIX Internet Measurement Conference (IMC). 41--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. 2007. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In Proceedings of the 1st USENIX Workshop on Hot Topics in Botnets (HotBots’07). Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Ross, S. M. 1993. Introduction to Probability Models. Academic Press.Google ScholarGoogle Scholar
  37. Shaikh, A., Tewari, R., and Agrawal, M. 2001. On the effectiveness of DNS-based server selection. In Proceedings of the IEEE INFOCOM. 3, 1801--1810.Google ScholarGoogle Scholar
  38. Shinoda, Y., Ikai, K., and Itoh, M. 2005. Vulnerabilities of passive Internet threat monitors. In Proceedings of the 14th USENIX Security Symposium. 209--224. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Story, L. 2007. How many site hits? depends on who’s counting. New York Times article. http://www.nytimes.com/2007/10/22/technology/22click.html?_r=3&pagewanted=1&ref= technology&oref=slogin.Google ScholarGoogle Scholar
  40. Wills, C. E., Mikhailov, M., and Shang, H. 2003. Inferring relative popularity of Internet applications by actively querying DNS caches. In Proceedings of the Internet Measurement Conference (IMC). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Internet Technology
        ACM Transactions on Internet Technology  Volume 10, Issue 3
        October 2010
        109 pages
        ISSN:1533-5399
        EISSN:1557-6051
        DOI:10.1145/1852096
        Issue’s Table of Contents

        Copyright © 2010 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 1 October 2010
        • Revised: 1 March 2010
        • Accepted: 1 March 2010
        • Received: 1 November 2008
        Published in toit Volume 10, Issue 3

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!