Abstract
Reliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean too much in favor of functional requirements over protecting the privacy of users. For example, the most prominent proposals for measuring the relative popularity of a website depend on the deployment of client-side measurement agents that are generally perceived as infringing on users’ privacy, thereby limiting their wide scale adoption. Moreover, the client-side nature of these techniques also makes them susceptible to various manipulation tactics that undermine the integrity of their results. In this paper, we propose a new estimation technique that uses DNS cache probing to infer the density of clients accessing a given service. Compared to earlier techniques, our scheme is less invasive as it does not reveal user-specific traits, and is more robust against manipulation. We demonstrate the flexibility of our approach through two important security applications. First, we illustrate how our scheme can be used as a lightweight technique for measuring and verifying the relative popularity rank of different websites. Second, using data from several hundred botnets, we apply our technique to indirectly measure the infected population of this increasing Internet phenomenon.
Chapter PDF
Similar content being viewed by others
References
20 Quick Ways to Increase Your Alexa Rank (2007), http://www.doshdosh.com/20-quick-ways-to-increase-your-alexa-rank
Anupam, V., Mayer, A., Nissim, K., Pinkas, B., Reiter, M.K.: On the security of pay-per-click and other web advertising schemes. In: WWW 1999: Proceeding of the eighth international conference on World Wide Web, pp. 1091–1100. Elsevier North-Holland, Inc., Amsterdam (1999)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: Internet motion sensor: A distributed blackhole monitoring system. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2005)
Bellovin, S.M.: A Technique for Counting NATted Hosts. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment (IMW), pp. 267–272 (2002)
Bethencourt, J., Franklin, J., Vernon, M.: Mapping Internet Sensors with Probe Response Attacks. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 193–212 (2005)
Blundo, C., Cimato, S.: Sawm: a tool for secure and authenticated web metering. In: SEKE 2002: Proceedings of the 14th international conference on Software engineering and knowledge engineering, pp. 641–648. ACM Press, New York (2002)
Casado, M., Freedman, M.: Peering through the shroud: The effect of edge opacity on IP-based client authentication. In: Proceedings of 4th USENIX Symposium on Networked Systems Design and Implementation (NDSI) (April 2007)
Casado, M., Garfinkel, T., Cui, W., Paxson, V., Savage, S.: Opportunistic Measurement: Extracting Insight from Spurious Traffic. In: Proceedings of the 4th ACM Workshop on Hot Topics in Networks (HotNets-IV), College Park, MD (November 2005)
Chen, Z., Ji, C.: A Self-Learning Worm Using Importance Scanning. In: Proceedings of ACM Workshop On Rapid Malcode (WORM) (November 2005)
Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. In: Proceedings of the first Workshop on Steps to Reducing Unwanted Traffic on the Internet (July 2005)
Dagon, D., Zou, C., Lee, W.: Modeling Botnet Propagation Using Time Zones. In: Proceedings of the 13th Network and Distributed System Security Symposium NDSS (February 2006)
Daswani, N., Stoppelman, M.: The Google Click Quality, and Security Teams. The Anatomy of Clickbot.A. In: Proceedings of the first USENIX workshop on hot topics in Botnets (HotBots 2007) (April 2007)
IP2Location Database, http://www.ip2location.com/
DNS Cache Snooping or Snooping the Cache for Fun and Profit, http://www.sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf
Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 375–388. ACM Press, New York (2007)
Franklin, M.K., Malkhi, D.: Auditable metering with lightweight security. In: Financial Cryptography, pp. 151–160 (1997)
Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a root-cause methodology to prevent denial-of-service attaks. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)
Exploiting the Google toolbar. GreyMagic Security Advisory, http://www.greymagic.com/security/advisories/gm001-mc/
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium, pp. 167–182 (August 2007)
ComScore Inc., http://www.comscore.com
Jung, J., Burger, A., Balakrishnan, H.: Modeling TTL-based Internet Caches. In: Proceedings of IEEE INFOCOMM (2003)
How Many Site Hits? Depends on Who’s Counting. New York Times article. Louis Story (2007), http://www.nytimes.com/2007/10/22/technology/22click.html?_r=3&pagewanted=1&ref=technology&oref=slogin
Metwally, A., Agrawal, D., Abbad, A.E., Zheng, Q.: On hit inflation techniques and detection in streams of web advertising networks. In: ICDCS 2007: Proceedings of the 27th International Conference on Distributed Computing Systems, Washington, DC, USA, p. 52. IEEE Computer Society, Los Alamitos (2007)
Moore, D.: Network Telescopes: Observing Small or Distant Security Events. In: 11th USENIX Security Symposium, Invited Talk (August 2002)
Naor, M., Pinkas, B.: Secure and efficient metering. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 576–591. Springer, Heidelberg (1998)
Nielsen/NetRatings, http://www.nielsen-netrating.com
Ntoulas, A., Cho, J., Olston, C.: What’s New on the Web? The Evolution of the Web from a Search Engine Perspective. In: Proceedings of the 13th International World Wide Web (WWW) Conference, pp. 1–12 (2004)
Honeynet Project and Research Alliance. Know your enemy: Tracking Botnets (March 2005), http://www.honeynet.org/papers/bots/
Rajab, M.A., Monrose, F., Terzis, A.: Fast and Evasive Attacks: Highlighting the challenges ahead. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 206–225. Springer, Heidelberg (2006)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My Botnet is Bigger than Yours (Maybe, better than yours): Why Size estimates remain challenging. In: Proceedings of the first USENIX workshop on hot topics in Botnets (HotBots 2007) (April 2007)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference (IMC), pp. 41–52 (October 2006)
FBI Botnet Cyber Crime Report (June 2007), http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm
Ross, S.M.: Introduction to Probability Models. Academic Press, London (1993)
Naraine, R.: Unpatched Google Toolbar Flaw Presents ID Theft Risk, http://www.eweek.com/c/a/Security/Unpatched-Google-Toolbar-Flaw-Presents-ID-Theft-Risk/
Shaikh, A., Tewari, R., Agrawal, M.: On the Effectiveness of DNS-based Server Selection. In: Proceedings of IEEE INFOCOM 2001, vol. 3, pp. 1801–1810 (2001)
Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 209–224 (2005)
FBI Computer Crime Survey (2006), http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm
Alexa: the web information company, http://www.alexa.com
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rajab, M.A., Monrose, F., Terzis, A., Provos, N. (2008). Peeking Through the Cloud: DNS-Based Estimation and Its Applications. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2008. Lecture Notes in Computer Science, vol 5037. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-68914-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-68914-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68913-3
Online ISBN: 978-3-540-68914-0
eBook Packages: Computer ScienceComputer Science (R0)