UK domain registry Nominet has shown off a striking new visualisation tool called ‘turing’ that large organisations can use to peer into their DNS traffic to trace latency issues and spot previously invisible botnets and malware.
In development for four years, and used internally by Nominet for the last two, at core turing is about representing DNS traffic in visual form, allowing administrators to ‘see’ patterns in real time that would normally be impossible to detect let alone understand.
The company believes there is no other tool on the market that does what turing does, a reflection of the fact that most organisations don’t think about the protocol in much detail. If it works then DNS will probably be ignored. The security issues it could give insight into are detected by other and probably less effective technologies.
The system – the term ‘platform’ is probably more appropriate – has three elements. A collection application ‘sniffs’ an organisation’s DNS data (including advanced metadata) as it traverses the network at up to 250,000 queries per second, sending this to a server that processes the possibly terabytes of data it receives for viewing through a touchscreen, HTML5 browser-based web application.
The top-level visualisation shows a DNS traffic overview of all DNS queries, representing day by dots or varying sizes and colours. Admins can drill down into a day or sequence of days to graph deeper trends that might be cause for concern.
And in most DNS data sets there will always be issues worth looking at in closer detail, if necessary right down to specific IP addresses.
A demo given to Techworld showed how one such issue, Mail Exchange (MX) queries, could be used to spot botnet operators attempting to cleanse their email lists of non-working email addresses by querying email addresses. A negative from the server tells them that the address should be deleted, a process turing notices.
Machines that have been enrolled in botnets can also be detected because of the traffic emanating from them.
“We can start to understand the patterns of botnets and help to clean up people’s computers,” said Nominet’s CTO, Simon McCalla. “We pass this info to Spamhaus and ISPs to do forensics.”
“Any enterprise with a large DNS infrastructure will know how difficult it is to understand what is happening with real-time and historic traffic. To build it we had to stop thinking like engineers and start thinking like detectives.
“Up until now, the available network management tools have simply not had the capability to rapidly store and analyse DNS query data in depth. turing changes the game completely,” said McCalla.
In addition to botnets, source port analysis can be used to man-in-the-middle attacks; a similar principle could be used, McCalla said, to tease out latency issues from DNS re-query traffic or find machines spewing Domain Generation Algorithm requests.
A large ISP was already using turing, he said.
“What this does is provide another tool to keep the Internet safe. It is an increasingly challenging thing to do. We need cutting edge tools to combat threats.”
Pricing depends in the design of s customer’s network, the volume of DNS traffic they handle and the terms of the license agreement, possibly a coded way of saying that large organisations will end up paying more than smaller ones. More information can be obtained by emailing [email protected]