The Power of 100 Billion: What You Can Do with a Vast Global Network
On April 20, the Cisco Umbrella global network quietly crossed a large milestone, serving more than 100 billion legitimate DNS requests in a single day. This is the system that takes URL queries (like facebook[.]com) and finds the corresponding IP addresses (like 31.13.70.36). It does this for more than 85 million customers in more than 160 countries around the world.
The 100 billion is a mix of recursive queries and cached responses, a Cisco Umbrella head engineer said. It’s also a combination of Cisco Umbrella enterprise customers and users of the home user OpenDNS service.
DNS is a fascinating system, one that operates a crucial function within the Internet’s infrastructure. It can also tell us a lot about the Internet’s growth as we forge our path into the second machine age.
The network that serves DNS queries fluctuating between 80 and 100 billion requests every day comprises 24 data centers worldwide. — It’s worth noting that the actual amount is much higher than 100 billion, but tens of billions of requests classified as DDoS or spam traffic are proactively dropped. — A data set of this scale provides a unique view of the Internet, one that Cisco Umbrella and its customers use to apply machine learning models and data training methods to create new ways of discovering malware, phishing and spam.
During an interview about the 100 billion milestone, Site Reliability Engineering Manager Brian Hartvigsen rummaged through a box in a closet and looking for a plaque. Hartvigsen has been with the company since its very early days when it was known as just OpenDNS. The company was founded in 2006 and acquired by Cisco in 2015. The plaque was a commemorative another OpenDNS engineer made by hand to mark the achievement of reaching 20 billion requests served.
“I think that was only in…2009, 2010,” Hartivgsen said. “The amount of time it took us to go from zero DNS requests to probably 20 billion was about the same amount of time it took us to go from 20 billion to 100 billion.”
The reason for the massive upswing in requests is due to multiple factors like changes in CDN configurations, customer growth in new markets, additional data centers coming online, and other factors.
“The growth has always been crazy. You don’t look at the graph for a day, and all the sudden [the number of requests] has jumped another 10 billion.”
One of the major factors behind the growth is in the exponentially growing number of devices making calls to the Internet. In about three years, this amount will be near the 50 billion mark, according to Cisco. That will include the typical devices we’re all accustomed to like laptops and smart phones, but also huge amounts of newly connected IoT devices. Refrigerators and home thermostats, smart TVs and conferencing equipment, pipeline sensors and increasingly more automobiles will all begin talking to a global network.
“Back when I started [at OpenDNS] in 2009, the figure that everyone was tossing around was one user would generate about a thousand requests per day,” Hartvigsen said. “Now, one user generates somewhere around 10,000 requests per day.”
Obviously this number fluctuates greatly depending on the person and the devices being used. But the exponential proliferation demonstrates the transformational impact of IoT on the Internet’s infrastructure, and with it, the service loads enterprises will have to sustain.
A global DNS system like Cisco Umbrella can also provide a lot of insight to active attack campaigns. In the last month, two large-scale attacks captured the attention of nearly every media publication in the world.
The first was a phishing attack that spread like a worm to more than a million Google users. Researchers at Cisco Umbrella documented how the Cisco Umbrella network was able to preemptively detect the attack using a statistical model known as Sender Rank. The model identifies malicious domains based on networking traffic patterns related to spam campaigns. The research team also got a comprehensive look into the DNA of the attack itself and the traffic patterns experienced by the various domains used in the attack.
The second attack was the now infamous WannaCry ransomware worm, also known as WCry, WannaDecrypt and about a half-dozen other names. This worm hit on a global scale very fast, with reports of somewhere around 250,000 victims. Cisco’s Talos research team and researchers at Cisco Umbrella pooled their analytical power and were able to track WannaCry as it moved around the globe.
In fact, the researcher responsible for temporarily halting its spread used Cisco Umbrella’s tool Investigate to research the domains the attacker or attackers were using. He found the malware was using an unregistered domain as a beacon. By registering it, the worm automatically stopped spreading to new victims.
“The more things connect, the more we can see,” Hartvigsen said. “The more we can see, the more visibility we have when we do our analysis of good and bad connections.”
For more information about the Cisco Umbrella Network and how it works, see the Cisco Umbrella resources site. For more information about WannaCry, see the analysis from Talos and consider attending the Anatomy of the Attack webinar with security researcher Brad Antoniewicz on May 31.
