Traffic Analysis on a Domain Name System Server. SMTP Access Generates Many Name-Resolving Packets to a Greater Extent than Does POP3 Access

Transcription

1 Traffic Analysis on a Domain Name System Server. SMTP Access Generates Many Name-Resolving Packets to a Greater Extent than Does POP3 Access Yasuo Musashi, Ryuichi Matsuba, and Kenichi Sugitani Center for Multimedia and Information Technologies, Kumamoto University, Kumamoto Japan, musashi@cc.kumamoto-u.ac.jp

2 Table of Contents Domain Name System and Intrusion Detection System 4 This Work 5 Computations: Normal Equation 1 6 Computations: Normal Equation 2 7 Used Server Daemon Programs and Estimation of Traffic 8 Observed data of N SMTP, N POP3, and D q (day 1 ). 9 D q N POP3 versus N SMTP plot 10 Traffic of SMTP, POP3, and DNS query in 2002/02/13 11 Observed and calculated DNS traffic in 2002/02/13 12 Traffic of SMTP, POP3, and DNS query in 2002/02/16 13 Traffic of Weekday and Holiday 14

3 Why is m SMTP 8.6? 15 DNS query accesses by a SMTP access 16 Receiving SMTP access 16 Transmitting SMTP access 16 DNS vs SMTP/POP3 17 Cache Effects on DNS traffic from servers 18 Observed and calculated DNS traffics in Estimated Cache Efficiency of DNS traffic 20 Conclusions 21 Acknowledgement 22 Traffic of SMTP(from,to, and others) in 2002/02/16 23 Traffic of SMTP(from,to, user and others) in the peak 24

4 Traffic of DNS and SMTP at 2002/07/15 25 Traffic of DNS and SMTP at 2002/07/16 26 Traffic of DNS and SMTP at 2002/07/17 27

5 Domain Name System and Intrusion Detection System The most important network services on the Internet. SMTP/POP3(Mail),FTP,HTTP,... We need to protect the DNS server, firmly. (A) Network Based Intrusion Detection System DMZ Internet FireWall Local Area Network NIDS NIDS (B) Host Based Intrusion Detection System DMZ Internet FireWall HIDS DNS SMTP/POP3 HIDS

6 This Work DNS Log of DNS query SMTP POP3 Log of SMTP Log of POP3 disk disk 1DNS 1MX (1) Statistical investigation on traffic of the DNS query packets between the DNS server (1DNS) and the server (1MX). (2) How are the DNS query packets generated by the SMTP and POP3 accesses? (3) Cache effects of the DNS query.

7 Computations: Normal Equation 1 D q = R SMTP + R POP3 + R FTP + (1) R i = m i N i (2) D q = the DNS query access between the 1DNS and 1MX. R i = the access numbers from the DNS clients. i = a network protocol, such as SMTP, POP3, FTP,... N i = the access counts of a network application, m i = a linear coefficient. R SMTP + R POP3 R FTP + (1MX) D q = m SMTP N SMTP + m POP3 N POP3 (3)

8 Computations: Normal Equation 2 A SMTP,POP3 x SMTP,POP3 = d SMTP,POP3 (4) A SMTP,POP3 = n N 2 j=1 SMTP,j n N SMTP,jN POP3,j j=1 n N SMTP,jN POP3,j j=1 n N 2 j=1 POP3,j (j = 1, 2, 3,, n; days) x SMTP,POP3 = (m SMTP, m POP3 ) t d SMTP,POP3 = ( n j=1 N SMTP,jD q,j, n j=1 N POP3,jD q,j) t

9 Used Server Daemon Programs and Estimation of Traffic Used server daemon programs 1DNS: The DNS server and the DNS packet recorder. BIND and iplog-1.2 1MX:The SMTP and POP3 servers. ISC sendmail and Qualcomm qpopper-4.0 Estimation of Traffic (1) D q : % grep domain /var/log/messages.1 wc (2) N SMTP : % grep "sendmail" /var/log/syslog.0 wc (3) N POP3 : % grep "poppe\[" syslog.0 wc

10 Observed data of N SMTP, N POP3, and D q (day 1 ). A SMTP,POP3 = j N SMTP N POP3 D q 2002/02/ / / / / / / / / / / / / , d SMTP,POP3 = ( , ) t, x SMTP,POP3 = (8.6, 1.0) t D q = 8.6N SMTP + N POP3

11 D q N POP3 versus N SMTP plot Dq NPOP3/day y =8.0 x R = NSMTP/day m SMTP = 8 9 and m POP3 = 1 The SMTP access generates the DNS query, rather than that of the POP3 access.

12 Traffic of SMTP, POP3, and DNS query in 2002/02/13-1 Traffic of SMTP, POP3, and DNS query accesses/s DNS query POP SMTP Time/h (1) There are three peaks. (2) The DNS traffic resembles well the SMTP one.

13 Observed and calculated DNS traffic in 2002/02/13-1 Traffic of observed and calculated DNS query accesses/s Observed Calculated Time/h The calculated curve resembles well the observed one.

14 Traffic of SMTP, POP3, and DNS query in 2002/02/ Traffic of SMTP, POP3, and DNS query accesses/s DNS query POP3 SMTP Time/h (1) The DNS traffic resembles well the SMTP one. (2) The peak of the early morning maybe network trouble?

15 Traffic of Weekday and Holiday -1 Traffic of SMTP, POP3, and DNS query accesses /s DNS query POP3 SMTP 2/17(Sun) 2/18(Mon) 2/19(Tue) 2/20(Wed) 2/21(Thu) 2/22(Fri) 2/23(Sat) Time/day All traffic in weekday is larger than that in holiday.

16 Why is m SMTP 8.6? (A) POP3 access and Receiving SMTP access 2 rq 1MX 1 MX POP3 Client 1 rq 1DNS POP3: 1 rq Receiving SMTP: 2 rq (B) Transmission SMTP access 1MX 4 rq 1 MX 2 rq 1DNS 4 rq 2 MX SMTP Client 4 rq n MX Transmission SMTP : 2 + 4n rq 1 rq = 1 request of DNS query packet

17 DNS query accesses by a SMTP access R POP3 = N POP3 (5) Receiving SMTP access R rec SMTP = 2N rec SMTP (6) Transmitting SMTP access R tr SMTP = (2 + 4n)N tr SMTP (7)

18 DNS vs SMTP/POP3 R SMTP = R rec SMTP + Rtr SMTP (8) q = N rec SMTP N rec SMTP +N tr SMTP (9) m SMTP N SMTP = 2qN SMTP + (1 q)(2 + 4n)N SMTP (N SMTP > 0) m SMTP = 2q + (1 q)(2 + 4n) = 2 + 4n(1 q) (10) D q = (2 + 4n(1 q))n SMTP + N POP3 (11) If q = and m SMTP = 8.6; n = The user of 1MX sends to at least 3 7 persons by one ing.

19 Cache Effects on DNS traffic from servers We present the DNS cache effects of the DNS query access between 1DNS and 1MX with the equation ( D q = 8.6N SMTP + N POP3 ). DNS Log of DNS query disk DNS disk SMTP POP3 Log of POP3 Log of SMTP 1DNS Used server daemon programs 1MX 1DNS: The DNS server and the DNS packet recorder. BIND and iplog-1.2 1MX:The SMTP and POP3 servers. ISC sendmail and Qualcomm qpopper-4.0

20 Observed and calculated DNS traffics in Traffic of the observed and calculated DNS query accesses/s Observed Calculated 3/11(Mon) 3/12(Tue) 3/13(Wed) 3/14(Thu) 3/15(Fri) 3/16(Sat) Time/h The observed traffic is considerably much smaller than the calculated one.

21 Estimated Cache Efficiency of DNS traffic DCE = 1 Dobs q D q calc (12) DNS cache efficiency /11(Mon) 3/12(Tue) 3/13(Wed) 3/14(Thu) 3/15(Fri) 3/16(Sat) Time/h The DNS cache for SMTP/POP3 services is considerably effective.

22 Conclusions (1) The total number of DNS packets, D q, are represented as D q = m SMTP N SMTP + m POP3 N POP3 where N SMTP and N POP3 represent the number of the SMTP access and that of the POP3 access, respectively. The linear coefficients m SMTP and m POP3 are calculated to be and 1.0. (2) m SMTP = 2 + 4n(1 q) where q is a mail-receiving rate and n is a number of different domain hosts. (3) The DNS cache sufficiently affects on the traffic between the DNS server and the server, and the cache efficiency is about The DNS cache on the server reduces the traffic between the DNS server and the server, drastically. The DNS cache should be applied to the server.

23 Acknowledgement All the calculations were carried out with AMD Athlon, Intel Pentium III, and Sun Microsystems Ultra-Sparc machines in our center.

24 Traffic of SMTP(from,to, and others) in 2002/02/ Traffic of SMTP and DNS query accesses/s DNS query from to other Time/h (1) N from > N to > N others. (2) Many SMTP sessions and several nslook-up failures.

25 Traffic of SMTP(from,to, user and others) in the peak 0.3 from user Traffic of SMTP/s to 0.0 other Time/10min (1) N user N from (2) Is the user cracked?

26 Traffic of DNS and SMTP at 2002/07/ Traffic of SMTP, POP3, and DNS query accesses/s DNS query from to Time/h (1) The curve of N to is rippled in the midnight hours. (2) In the morning, the MMI-worm, Frethem.K, was detected.

27 Traffic of DNS and SMTP at 2002/07/ Traffic of SMTP, POP3, and DNS query accesses/s DNS query from to Time/h (1) The curve of N to is rippled in the early morning. (2) Frethem.K was spread by the internet.

28 Traffic of DNS and SMTP at 2002/07/ Traffic of SMTP, POP3, and DNS query accesses/s DNS query from to Time/h (1) The curve of N to is normal in the early morning. (2) Frethem.K was disappeared from 1MX.