Clients of DNS Root Servers - 2002-10-21

Clients of DNS Root Servers during a DoS Attack

Data were collected starting Wednesday 2002-10-21 22:10 UTC for over 3 days in 10 minute intervals from {e,i,k,m}-root servers using dnsstat, which counts DNS messages and requests on UDP port 53 by src/dst address, opcode, qtype, and qclass. The collectors at {e,i,k,m}-root were each run on a host that was connected to a link that carried the root server traffic (either directly or mirrored).

Click on any graph to see a larger version.

Packets lost by monitors

Accumulation of unique clients

These graphs show the number of unique clients seen by each individual server and by all servers combined, accumulated over the course of the 7 day collection period.

Clients:

Unique clients per interval

These graphs show the number of unique clients seen in each 10 minute interval by each server and by all servers combined.

Clients:

New clients per interval

These graphs show the number of new unique clients seen in each 10 minute interval by each server and by all servers combined; that is, clients that had not been seen in any previous interval.

Clients:

Requests per interval

These graphs show the number of queries seen by individual servers. Note that some clients byte-swap the 16-bit QDCOUNT field, so the value 1 is incorrectly written as 256. Queries in such messages are counted here even though they should probably be ignored, since the DNS server rejects these messages.

Number of requests sent by clients

These graphs show the CDF or CCDF of the number of request messages sent by clients to each server. With a logarithmic x-axis, we can see that over half the clients sent 8 or fewer messages.

Overlap of client sets

Intersections and unions of client sets of pairs of root servers, with union of all servers for comparison.

Clients:

Request Opcodes, Types, and Classes

Request opcodes, types, and classes seen at all monitored servers, in full view and zoomed in. "Unknown" includes all requests with a non-standard opcode, type, or class; "other" includes all sets that had counts lower than the count of the lowest explicitly named sets. Opcodes QUERY, IQUERY, STATUS, NOTIFY, UPDATE are abbreviated to their first letter in the legends.

List of query types and counts

Number of servers queried by clients

Here is the number of clients which sent messages to a given number of servers.

Clients:

-- Ken Keys

Related Objects

See https://catalog.caida.org/details/paper/2010_understanding_dns_evolution/ to explore related objects to this document in the CAIDA Resource Catalog.