10th International Conference on

Autonomous Infrastructure, Management and Security

(AIMS 2016)

June 20-23, 2016, Universität der Bundeswehr München, Germany

Lab sessions

Lab Session 1: The Internet of Names: Big data analysis for DNS

Anna Sperotto, University of Twente, The Netherlands
Mattijs Jonker, University of Twente, The Netherlands
Christian Dietz, Universität der Bundeswehr München, Germany

Date: Tuesday 21 June 2016, 14:00 - 17:00
Room: tbd.

Abstract: The Domain Name System (DNS) is part of the core infrastructure of the Internet. Tracking changes in the DNS therefore provides valuable information about the evolution of the Internet. Think about adoption of protocols (e.g. IPv6 and DNSSEC) and applications (e.g., cloud e-mail providers), distribution of content (web domains), and network security (e.g, botnets). Since February 2015, the University of Twente, SURFnet and SIDN run a large-scale active measurement of the DNS, which cover the domain names in the .com, .net and .org zones. Since February 2016, the .nl zone has also been added. In total, our measurement currently queries over 50% of the DNS name space on a daily basis. The measurement results are stored in an Hadoop cluster for later analysis (1).

The goal of this hands-on tutorial is to familiarise the participants with DNS, DNS measurements and possible research application. The session will start with a general introduction to the measurement including a few example use cases. Then, we will briefly introduce the participants to a virtualized lab environment in which they can experiment with the data themselves. The remainder of the session is then spent "hackathon"-style, in groups, each of which will present their experiences and possible findings from the data at the end of the session in a short presentation. The lab environment will contain real data for the Alexa Top 1 Million domains.

(1) R. van Rijswijk-Deij, M. Jonker, A. Sperotto and A. Pras "The Internet of Names: A DNS Big Dataset", In Proceedings of ACM SIGCOMM 2015.

Lab Session 2 and 3: Fun with the beast: Traffic Mining (TM) using Brain and Tranalyzer

Stefan Burschka, RUAG, Switzerland
Benoit Dupasquier, RUAG, Switzerland

Date: Wednesday 22 June 2016, 13:30 - 16:30 and Thursday 23 June 2016, 09:30 - 12:30
Room: tbd.

Abstract: The workshop is literally defined by the title, using your brain and Tranalyzer you will do a hands on job of an analyst trying to find anomalies in real IP traffic. You might get stuck in a foxhole and have to learn how to dig yourself out. Nothing is like it initially seems, or maybe it is.

It is adressed to everybody who is willing to learn a bit more detail about IP traffic and the way of flow based TM. A linux laptop and working knowledge of command line bash is required, rudimentary knowledge of AWK and gnuplot is nice to have. The Tutorial is only the beginning of a bootcamp, which every attendee is welcome to continue with me via email or telephone or by visiting us.

For the fellows who like to play with the beast before the workshop:
Download the opensource version Tranalyzer2-0.5.8 from http://sourceforge.net/projects/tranalyzer/ and extract it. The doc is under ~/tranalyzer2/trunk/doc.
Have tcpdump or wireshark, less, GAWK and gnuplot installed. graphviz might be useful too: http://www.graphviz.org/.


  • Short introduction to the most important IP protocols and header features
  • Exercise: Tell me everything about THIS packet
  • Introduction to Tranalyzer
    • Philosophy, configuration and compilation ops
    • Most important plugins including config constants
    • Flows and global reports
    • How to write your own plugin in C
  • Hands-on exercises in groups or alone on several PCAPS