26 February 2016

DNS Visualisations

Datascape2_20160226_115525.png

In putting together some demos for Datascape2XL we've been diving back into our archives to revisit some of our favourite datasets and give them the "XL" treatment. This dataset shows DNS activity on a computer network, with time wrapped around a cylinder (left to right), and the DNS addresses being plotted "up" the screen, the data being sourced courtesy of our friends at Assuria.

The image below shows the original plot. This had about 20k data points covering about a week. The vertical "stacks" or "bands" correspond to heightened activity during days of the week, not quite sure why there's such a big gap, probably the PCs we selected (to keep the data volume down) were off those days.

dnsoverview2.png

Even with this few points there were a lot of features of interest, such as the obvious "beaconing" going on against some DNS addresses pretty much 24/7.

The image below and at the top of the article show the result with Datascape2XL and all 848,000 data points being plotted, covering 100+ PCs over about 8 weeks (you can see the 8 blocks of 5 days of weekday activity).

Datascape2_20160226_115557.png

We set the radius to about 180 degrees, but could easily have opened it out to the full 360 degrees. The black background works great on a big monitor, possibly less so on this web page, but is (like everything else in the visualisation) user selectable. We also did a version where we plotted all the data against a single 24 clock so you could see if things happen at the same time every day.

The image below shows a couple of days in detail.

Datascape2_20160226_115442.png

So every point is a DNS request being made. The colour is assigned to the DNS request type. Red is normal "A" IP4 requests, Cyan in "PTR" requests, Orange is SOA, Yellow is SRV etc.

Beaconing on both A and PTR requests clearly stands out, as to some of the vertical "DNS cascades" caused by web pages which pull in resources (aka "ads") from lots of servers. Interesting that of the 3 days in the plot in the lower image only the first day shows SOA/SRV activity. It also looks like there was a bit of activity late on Sunday night!

The final image shows a close up zoom of the individual requests, with hover text on a particular record.

Datascape2_zoomed.png

We'll post a video up in the next few weeks so as to give you a real sense of what it is like to fly though this visualisation. The video will also show what the "visualisation" is like with audio added, a "sonification", where with the new version of Datascape we can map data fields to sounds as well! And leverage the fact that the brain actually parses audio information quicker than visual information (especially text).

No comments:

Post a Comment