Internet Measurement and Anti-Abuse Laboratory

Anomalous Internet Traffic

If you've observed anomalous Internet traffic associated with our address space, we list below more information on research we're conducting, what you might expect to see, and how to opt out.

• About 30 TCP SYN packets in short succession, several times per day, per IP address

  We are conducting a measurement study that uses SYN packets (and their corresponding SYNACKs) to 1) identify OS and 2) determine whether or not SYN cookies are in use. We believe that our findings, in aggregate, will help us get a picture of security and stability of the Internet, as indicated by servers experiencing high volume or SYN floods over time.

• DNS queries for dns-lab.org either a) destined for your resolver, appearing to come from IP address space within your resolver's autonomous system (AS) and/or b) leaving your resolver

  We are conducting an experiment to learn whether networks are susceptible to reverse spoofing, the idea that internal address space is reachable through by spoofing that IP address as the source in packets. We are using DNS queries to known resolvers as a means to test this.

• SMTP connections attempting to deliver mail to postmaster@<your_domain> with an envelope sender having a suffix in the spf-test.dns-lab.org zone

  We are conducting experiments related to validation of SPF and DMARC, as part of our research on SMTP anti-abuse. The suffix for any sender email corresponds to a domain with a specific configuration testing a given characteristic of SPF and/or DMARC. We observe the traffic at our authoritative DNS servers to learn more about the state of SPF and DMARC deployment.

  We know that people hate spam, so we have tried several ways to reduce, if not eliminate, the amount of unsolicited email reaching someone's inbox as part of our experiment. First, with one methodology we employ, we simply disconnect from the SMTP server after DATA is issued (but before any content is sent). We have and are using that methodology. However, we have learned that many servers begin SPF validation by the point at which we disconnect, but some servers (e.g., gmail) won't validate unless they get some content. Of those, many (e.g., gmail) would immediately dismiss a blank email message, even though they still validate. So we additionally using this methodology. We recognize that there are some servers that don't error out, but we make note of those to not hit them twice---to minimize annoyance and perceived abuse. We also use an invalid SPF and strict DMARC reject policy, so servers adhering to SPF and DMARC should reject our message, but we understand that not all are validating.

• DNS queries to DNS servers for DNS records within the resolver-measurement.dns-lab.org zone

  We are conducting experiments to characterize DNS server behavior, particularly with respect to open resolver behavior. The custom queries we issue to a resolver supporting recursive DNS queries from our address space force it to in turn issue queries to the servers authoritative for dns-lab.org, which are under our control.

  We are also conducting experiments related to DNS-over-TLS, so you might see connection attempts to port 853, which is associated with DNS-over-TLS.

• DNS queries to authoritative servers for DNS records that don't exist

  We are conducting experiments to understand the handling of negative DNS responses by DNS authoritative servers, which requires us to issue queries to servers for names or types that don't exist within the DNS zone for which the servers are authoritative.

• DNS queries to resolvers for DNS records within the resolver-select.dns-lab.org zone

  We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection. The custom queries we issue to the resolver force it to in turn issue queries to the servers authoritative for resolver-select.dns-lab.org, which are specially configured and under our control.

• DNS queries to resolvers for DNS records for non-existent domain names within select domains

  We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection and proximity to resolvers. Issuing queries for DNS records that don't exist help us to better understand that behavior.

Contact

For questions, comments, and additional information, please send email to imaal@byu.edu.

To opt out of any or all of the listed above, please send email to imaal-abuse@byu.edu, and include the IP address space that you would like to be exempted.