Abstract Almost every activity on the Internet starts with a DNS query, sometimes even multiple. Those queries reveal a lot of information about user activity. An entire working group in the IETF, called dprive, is dedicated to improving privacy in DNS. However, DNS is also a very useful tool in security monitoring. Like many network operators, it is increasingly important for SURFnet to gain insight into the threats its users are facing. However, security and privacy are often considered to be mutually exclusive. Previous work introduced a novel, privacy-friendly solution of detecting threats using DNS, based on Bloom filters. Bloom filters are sets with a statistical nature. They are non-enumerable, and it is only possible to ask whether an exact DNS query was performed. While this previous work showed that applying Bloom filters for threat detection is theoretically possible, practical aspects were not covered. In contrast, in this work we focus on the practical aspects of applying Bloom filters. Because of their statistical nature, Bloom filters introduce constraints in threat detection. How should the threat detection system be designed to work within these constraints? The poster will show how we apply Bloom filters in practice. This includes, for example, how to size Bloom filters, what the impact of false positives can be and what information to store in them. Furthermore, we validate the applied threat detection solution against three real-world scenarios. This work aims to be a starting point for other organizations to start using Bloom filters in similar scenarios.
Networks · Services · People | Code of Conduct | Privacy Policy
