Open in app

Sign in

Write

Sign in

Trump Tower Server — Take 3

David Schiminovich
5 min readNov 4, 2016

--

I am a Professor of Astronomy at Columbia University, but I took a brief interest in understanding how one might try to analyze the “Trump Server” DNS resolver data set. Information about the original data set can be found on this wordpress site and also has been gathered at this site.

I do not know how these data were collected or whether they have been altered. They seem sufficiently ‘realistic’ to warrant going through this exercise, but I’ll let others decide what conclusions to draw from them.

Input Data

I concatenated and time sorted the three files ###_cdcservices_com.log, where ###=(ns1, ns2, ns3). I converted UTC time to Julian time and then day of year. Duplicate DNS entries — at identical times and for identical addresses—were reduced to a single entry, though I kept a count of duplicate number.

I analyzed data for the four IP addresses in the table: 217.12.96.15 (ALFA A), 217.12.97.137 (ignored), 217.12.97.15 (ALFA B), 167 73.110.8 (Spectrum Health).

Only ALFA A, ALFA B and Spectrum Health data are shown below.

Initial Plots (Fig 1a and 1b)

This top plot (Fig 1a) reproduces the figure in the Slate article, generated by Tea Leaves or collaborator. We see the occurrence rate of DNS entries in the log table for all 3 addresses (black solid) and individual addresses. ALFA A and B have nearly the same rate per day. Spectrum Health occurs at roughly half the rate as the other two.

Two features worth noting in this top plot 1a:

  • Variation in rate of ALFA and Spectrum seem to track each other (start very sporadic, increase to a low, then a moderate level)
  • There is a gap in the entries around day 206 (weekend of July 23–24)

In the bottom plot (Fig 1b) is plotted the hour of day of the entry vs. day of year. The ALFA A&B data are combined together as black squares. The Spectrum Health data are green triangles.

Features worth noting in the bottom plot 1b are:

  • Events begin sporadically.
  • At around day 175 (~June 23) the rate of events increases as in the histogram, although there is still no obvious pattern
  • The gap near day 206 (~July 24) is visible again and is notable because after this gap the data become much more patterned and/or periodic. The time intervals are not completely regular, but nearly so. And there are occasional larger gaps.
  • You may have difficulty separating data for ALFA vs. Spectrum Health in this plot… that is done below.
  • As a final observation, there’s no obvious correlation with time of day (e.g. a specified range of hours) over most of the period. It is possible that early on events are more likely to occur at specific times of day. But there isn’t strong evidence for this.

Time Interval Figures 2 and 3

In order to try to understand the patterned nature of the data in 1b, I plotted the time interval between successive DNS entries for a given location, as shown in figures 2a and 3a. ALFA A & B address data were combined. The bottom plot in each of these figures (2b and 3b) are identical to 1b, showing only the addresses indicated (these won’t be discussed further).

Periodically generated DNS log entries should show nearly constant time intervals between successive records. Aperiodic entries will show a range or ‘continuum’ of time intervals.

Some time intervals are larger than 10 hours (or very small, less than a few minutes) and are either cutoff or not visible in these plots.

What we find in 2a, for ALFA A & B:

  • Initial sporadic data appear to be aperiodic
  • The increased (low) rate data starting in late June are mostly aperiodic
  • After the gap ~July 24 the data become much more periodic, although for much of the remaining period (Aug, Sep) there are also aperiodic log entries. The aperiodic events seem to shift the occurrence of the following periodic events, which causes the drifting pattern we see in 1b.
  • Notably, there are “quiet periods” in the aperiodic data, roughly Aug 9–16 and Sep 13–20. Interestingly these quiet times, correspond to an increased occurrence of periodic data, which means that the overall number of DNS entries shows a peak in activity, as seen in 1a. (minimum aperiodic = maximum in periodic).

What we find in 3a, for Spectrum Health:

  • Initial sporadic data appear to be aperiodic
  • Starting with the low rate data in late June the data remain periodic. There are long gaps in time, but none of these cause the periodic pattern to drift.
  • After the gap ~July 24 the overall rate picks up slightly (not as much as for ALFA A & B).
  • Because this pattern is not shifting it does not move in time with the ALFA A & B entries. Other than the overall rate of occurrence of Spectrum Health vs. ALFA A & B which seem to roughly track each other, there is no obvious correlation in the timing of their DNS log entries.

Final Remarks

For now, I’ll let others draw conclusions as to whether or how these observations correlate with specific events over the past 6 months, and also whether or not the figures above corroborate or disprove other inferences based on the same tables.

Final key points:

  • ALFA A & B and Spectrum Health entries seem to track each other but obey different behavior in detail
  • A key gap in entries occurred ~July 24, followed by an increase in the rate of entries and in particular periodic records for ALFA A & B, with aperiodic records also continuing.
  • An “quiet period” in aperiodic ALFA A & B records occurred around Aug 9-Aug 17 and Sep 13–20.
DNS
Data Science
Trump
Server

--

--

David Schiminovich

Written by David Schiminovich

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams