eyeDNS: Monitoring a University Campus Network

Chandan Chowdhury, Dalton A. Hahn, Matthew R. French, Eugene Y. Vassermann
Kansas State University

Pratyusa K. Manadhata
Micro Focus

Alexandru G. Bardas
University of Kansas

Domain Name System (DNS)

• DNS is responsible for mapping human readable domain names to internet protocol (IP) addresses (the internet's equivalent of a phone-book)


• DNS is vital to benign and malicious internet (and enterprise network) users
  • Benign actors: reaching the desired destinations
  • Malicious actors: reaching with C&C servers


• Monitoring and analyzing DNS traffic provides visibility into the communications of a network's internal parties

Image source: https://07avr.files.wordpress.com/2014/07/dns-is-the-phonebook.png

DNS Traffic on a University Network

• A research university campus network is very dynamic, open, and diverse:
  • Departamental networks, financial services, residence halls, etc.
  • Legacy software and hardware components


• Difficult to apply a single security policy to the entire university


• Monitoring DNS traffic: "Show me who your friends are and I’ll tell you who you are"

Campus Infrastructure

Monitored campus network:

• Approx. 24,000 enrolled students
• Over 218,000 registered users (students, faculty, administrative personnel, etc.)
• More than 42,000 connected hosts/devices per day
• Uses a publicly routable /16 block of IP addresses divided in various segments:
  Wireless segment, VPN clients, and the residence halls

Data Collection

• The on-campus DNS infrastructure is distributed
• Data gathered over 15 months (Jan. 2016 - Mar. 2017)
• Used 6 months of subsequent data to validate original findings (Apr. 2017 – Oct. 2017)

eyeDNS Dashboards

Significance of Collected Data - Coverage

• Dataset was assembled from processing 640,891,500 DNS query packets and 696,879,237 DNS response packets
• Significance does not lie in the overall quantity of observed DNS packets (April 2017: approx. 11.4%) but rather that the traffic originates from many diverse sources

Data Sources

Originating sources:

• 55 out of the 103 (53%) total buildings on campus, including student housing


• 54.28% of the VPN IP address block (from outside the university network)


• 48% of the blocks assigned to the wireless range
  (By analyzing the IP address assignment pattern for the wireless network, we conclude that they were assigned uniformly at random, and hence are not biased.)

Statistics of Collected Data

• Monthly average distribution of DNS response:
• Also noticed differences between business hours vs non-business hours, weekdays vs. weekends, or between academic semesters

Analysis and Findings

Algorithmically Generated Domains:

• Used as rendezvous points by C&C servers to remain in contact with infected machines (bots)
• Leveraged the DGArchive database

DGArchive^* maintains a database of algorithmically generated domains associated with various malware families (reverse-engineered malware)

^* D. Plohmann et. al, "A comprehensive measurement study of domain generating malware," in USENIX Security, 2016

eyeDNS with DGArchive

Suspicious and Anomalous Findings (1/3)

Web Proxy Auto Discovery (WPAD):

• 10M DNS queries for domain names that start with "wpad"


• Used by Windows hosts (enables quick and easy OS fingerprinting)


• Susceptible to Man-In-The-Middle (MITM) attacks by hosts serving malicious Proxy Auto-Configuration (PAC) JavaScript files

Suspicious and Anomalous Findings (2/3)

Signs of Scams:

• Uncovered scam websites, cheap domains, ad-based URL shortening services
• Typo-squatted domains list provided by Miramirkhani et al.^*
• Uncovered 880,497 DNS queries to typo-squatted domains:
  • 23,049 DNS queries to "buzzfed.com" and 14,151 to "umblr.com

^* N. Miramirkhani, O. Starov, and N. Nikiforakis, "Dial one for scam: A large-scale analysis of technical support scams," in NDSS, 2017.

Suspicious and Anomalous Findings (3/3)

Network Rerouting:

• Maintenance activities caused a significant spike on DNS traffic routed through the monitored DNS server

Limitations

• Deploying and maintaining a DNS traffic analysis pipeline on an operational network is challenging (especially in case of a distributed DNS infrastructure)


• Inconsistent blacklisting mechanism


• The capture box analyzes domain names only up to the second level domain

Conclusions

• We introduce a framework, called eyeDNS, to collect, store, analyze, and visualize DNS traffic in near real-time


• eyeDNS:
  • Deployed on a large US public university campus network
  • Used by the campus security team
  • Provides a unique perspective into the various network activities

Color Schemes

Presentation color schemes:

• effects overload
• black & white (default)
• devopsy