Anomalous Internet Traffic

If you've observed anomalous Internet traffic associated with our address space, we list below more information on research we're conducting, what you might expect to see, and how to opt out.

High rates of DNS queries to authoritative servers

We are currently conducting some experiments to survey the deployment of DNS response rate limiting at authoritative servers. If you see abnormally high rates of DNS requests coming from our address space, that is likely associated with this experiment. We understand that this activity appears anomalous and perhaps even malicious. We enumerate below the characteristics of the DNS queries associated with our experiments, including measures that we have taken to mitigate any unintended negative impact to those on the receiving end of our measurements.

  • For every authoritative server associated with a domain (e.g., example.com), we issue a burst of 500 queries in a single second for any A records associated with that domain (e.g., example.com/A).
  • Queries deliberately use type A (IPv4 address), and they do not use EDNS0---both actions in an effort to keep the responses relatively small (e.g., compare to type ANY with EDNS0, which combination is typically used for reflection-based DDoS attacks).
  • These queries should not persist beyond the burst of 500 (but see next bullet point).
  • If an authoritative server hosts more than one domain in our data set, they might see multiple bursts of queries---one for each domain---but we have made efforts to keep them from being made concurrently.

DNS queries to authoritative servers for DNS records that don't exist

We are conducting experiments to understand the handling of negative DNS responses by DNS authoritative servers, which requires us to issue queries to servers for names or types that don't exist within the DNS zone for which the servers are authoritative.

DNS queries to resolvers for DNS records within the resolver-select.internet-measurement.cs.byu.edu zone

We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection. The custom queries we issue to the resolver force it to in turn issue queries to the servers authoritative for resolver-select.internet-measurement.cs.byu.edu, which are specially configured and under our control.

DNS queries to resolvers for DNS records for non-existent domain names within select domains

We are conducting experiments to characterize resolver behavior with respect to DNS authoritative server selection and proximity to resolvers. Issuing queries for DNS records that don't exist help us to better understand that behavior.

DNS queries to DNS servers for DNS records within the resolver-test.internet-measurement.cs.byu.edu zone

We are conducting experiments to characterize DNS server behavior, particularly with respect to open resolver behavior. The custom queries we issue to a resolver supporting recursive DNS queries from our address space force it to in turn issue queries to the servers authoritative for resolver-test.internet-measurement.cs.byu.edu, which are under our control.

Questions

For questions, comments, and additional information, please send email to imaal@byu.edu.

Opting Out

To opt out of any or all of the listed above, please send email to imaal-abuse@byu.edu, and include the IP address space that you would like to be exempted.