Computer Science Department
School of Computer Science, Carnegie Mellon University


A Security Study of the Internet:
An Analysis of Firewall Behavior and Anonymous DNS

Hal Burch, Dawn Song

July 2004

Keywords: Network measurement, security, census, firewall, firewall behavior, server correlation, split DNS, anonymous DNS

Hosts connected to the Internet are exposed to a wide array of attacks. Multiple methods are used to limit and impede attacks. This paper looks at how and if some of these methods are deployed on the Internet. The most common method employed is to limit network access to hosts using firewalls. What percentage of IP addresses are behind firewalls? What do these firewalls block and allow? What common policies are installed in firewalls? These questions are extremely important for understanding how firewalls are used as a security defense mechanism on the Internet and were previously unaddressed. In this paper, we first set off to answer these questions by performing a systematic study of firewall behavior on the Internet. Another well-adopted method to limit information about hosts is to give IP addresses anonymous hostnames based on their IP addresses on the public Internet, called anonymous DNS. This makes the function and even existence of such machine difficult to determine. In this paper, we then analyze the behavior of anonymous DNS on the Internet, e.g., what fraction of hosts have anonymous names and how much information is contained in Internet hostnames. To the best of our knowledge, we are the first ones to systematically study the behavior of firewalls and anonymous DNS on the Internet. In this paper, we propose a methodology for such a study and describe our measurement results.

28 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by