Roy Arends (Nominet)
This demonstration-based talk will cover various results of Nominet's analytics efforts over the last four years. The talk will discuss various incidents, misconfigurations, bugs, attacks and malware behaviour we have uncovered by visualizing and interacting with DNS data. I’ll go through a few stories: 1) The limitations we had using existing tools, and the requirements we had when building our analytics tool. 2) How we found CVE-2011-2464 (BIND bug) by understanding how a secondary nameserver should behave, and subsequently looking for abnormalities. 3) How we spot suspicious behaviour and subsequently track a botnet. 4) How we spot abnormal behaviour and subsequently track crypto locker. 5) How two bugs in different implementations amplify eachother. A story about Google and BIND. 6) The effect of RRL during an attack. 7) How OpenDNS improved on their shutter time. 8) The importance of interaction _and_ visualisation (and as a natural consequence, timeliness).