New Farsight Security Research: DNS Network Traffic Volumes During the 2020 Pandemic
By Joe St Sauver
Farsight hopes that everyone is staying safe out there – we hope you're taking care of yourself, your family, your friends, and your neighbors during these uncertain times.
As the 2020 coronavirus pandemic continues to roll on, we became curious: has there been any discernible change in volume in the DNS cache miss traffic that underlies DNSDB, Farsight's passive DNS system?
We'd seen reporting in the New York Times that indicated at least some sites and applications had seen an uptick in sessions during the coronavirus, but passive DNS provides a potentially broader (and more subtle) measure of activity due to things like DNS caching.
For this report, DNS Network Traffic Volumes During the 2020 Pandemic, we looked at five main categories of sites: news and partisan opinion, travel and transportation, retail, streaming video, and higher education.
In all, we looked at daily MTBL data for over 300 sites, and produced graphs (using volume over time code we've previously shared) showing the volume for each day during March/April 2020. Unlike some studies, we looked at all hostnames under a target domain of interest, not just changes in traffic to a domain's main website or some other narrow measure of busyness.
Many of the sites we looked at did show an increase in cache miss traffic counts. Yet our report does not try to "attribute" or "apportion" the change in traffic levels. We can't claim that the coronavirus "caused" these changes since:
- There are many possible confounding factors that may be simultaneously changing during these uncertain days
- Real-world virus-related changes (such as shutdown orders, school closures, etc.) were distributed, varying in timing by location, and impacting a range of different business sectors and population sectors (so there was no single hard bright line we could point to when a "switch was flipped" and the world instantly changed), and finally
- Correlation does not equal causation.
Instead, we simply report what Farsight sees as a macroscopic phenomenon. The report shares the raw data (and an overlaid simple seven day moving average) for the DNS cache miss traffic volume for each of the 316 sites. Many of the sites we looked at exhibited a consistent pattern, abruptly going from a lower plateau to an higher plateau, but some were atypical. In the report, we endeavored to flag those, and to explain why we thought that some graphs could be distinguished from others.
Even if you're not interested in that data, you may be interested in some anomalous ("spiking") traffic we also uncovered while looking at the data for those 300+ sites. In a nutshell, it looks to us as if some sites are getting hit with millions of requests over the course of a day for Start of Authority (SOA) records (this would be consistent with someone conducting a reflexive denial of service attack). If you operate an authoritative name server, you really want to be sure that you've enabled Response Rate Limiting to protect your own site and the Internet at large. For information on Response Rate Limiting, I recommend visiting A Quick Introduction to Response Rate Limiting.
We encourage you to check out our full report. It's available for download here.
Joe St Sauver Ph.D. is a Distinguished Scientist with Farsight Security®, Inc.