Mar 1, 2021 - Trends

Trends and Analytics

Following the recommendations of our article entitled Detecting Anomalies at a TLD Name Server Based on DNS Traffic Predictions (IEEE Transactions on Network and Service Management) we modeled DNS queries as time series, storing them on a Influx Database. Using Grafana it is easy to see the trend, anyway, in adition we implemented an Exponential Moving Average (EMA) filter to graphically see such trends:

RaTADNS-Grafana

Oct 15, 2020 - Dnszeppelin

Moving to DNSZeppelin

In order to improve on performance and stats, we will be moving to a new implementation based on DNS Zeppelin and InfluxDB.

Apr 4, 2016 - Brand new replay mode

Replay Mode

Case of use

Most of the attacks or interesting events happening in a DNS server are impossible to anticipate. So, sooner than later you will miss an interesting event in your servers.

Solution

Usually to solve this type of problems you will use tcpreplay, but in this case as the module might be in the same network, using tcpreplay will impact the network if the packets are injected with the same addresses. Or, if the addresses are appropriately changed, it will cause a loss of information. That is why we just added to fievel the capability to retransmit an event stored in a pcap file.

How to use it.

We tried to keep the configuration file as simple as possible, there are three fields you have to modify in order to have this new feature working:

{
  ...
  "Capture" : {
    "InputMethod" : "capture_file",
    "InputSource" : "/path/to/the/pcap_file",
    "Speed" : n,
    ...
  },
  ...
}

Sample of a configuration file.

  • InputMethod: You tell the system you want to read the data from a capture file.
  • InputSource: The path to the pcap file you want to read from.
  • Speed: This option allows you to set the speed the system will read the input. There are three different behaviors for this value:
  • n = 0: The system will read the data as fast as possible, no delay.
  • n = 1: The system will read the data with the same delay specified by the timestamps in the capture file.
  • n > 0 && n != 1: The system will read the data n times faster that the time specified in the capture file. This will speed up the reading if n > 1 or speed it down if n < 1. For instance, if you set n = 2 the data will be read 2 times faster, but it you set n = 0.25 it will take 4 times the original time to retransmit the data.

Implementation details.

The delay was introduced by replacing the use of pcap_loop by our own loop. This loop includes calls to nanosleep in order to provide the pauses in the execution. As we are using nanosleep do not expect a better resolution than nanoseconds in the speed of the replay.