Anomalous Internet Traffic

If you've observed anomalous Internet traffic associated with our address space, we list below more information on research we're conducting, what you might expect to see, and how to opt out.

High rates of DNS queries

We are currently conducting some experiments to survey the deployment of DNS response rate limiting. If you see abnormally high rates of DNS requests coming from our address space, that is likely associated with this experiment. We understand that this activity appears anomalous and perhaps even malicious. We enumerate below the characteristics of the DNS queries associated with our experiments, including measures that we have taken to mitigate any unintended negative impact to those on the receiving end of our measurements.

  • For every authoritative server associated with a domain (e.g., example.com), we issue a burst of 500 queries in a single second for any A records associated with that domain (e.g., example.com/A).
  • Queries deliberately use type A (IPv4 address), and they do not use EDNS0---both actions in an effort to keep the responses relatively small (e.g., compare to type ANY with EDNS0, which combination is typically used for reflection-based DDoS attacks).
  • These queries should not persist beyond the burst of 500 (but see next bullet point).
  • If an authoritative server hosts more than one domain in our data set, they might see multiple bursts of queries---one for each domain---but we have made efforts to keep them from being made concurrently.

DNS queries for names that don't exist (i.e., resulting in NXDOMAIN responses)

We are conducting experiments to understand the handling of negative DNS responses by DNS authoritative servers, which requires us to issue queries for names that don't exist.

DNS queries for types that don't exist (i.e., resulting in NODATA responses)

We are conducting experiments on DNS recursive resolvers which require us to issue queries for records that don't exist in the resolver's cache The easiest way to do this is to query for types that don't exist.

Questions

For questions, comments, and additional information, please send email to imaal@byu.edu.

Opting Out

To opt out of any or all of the listed above, please send email to imaal-abuse@byu.edu, and include the IP address space that you would like to be exempted.