
A Software-based Approach to Identify Heavy Hitters in DNS Traffic - fanf2
https://labs.ripe.net/Members/santiago_r_r_/a-software-based-approach-to-identify-heavy-hitters-in-dns-traffic
======
anonacct37
I find sticky sampling and lossy counting to be useful for this kind of thing.
In fact it's what I use to identify heavy hitters of my high traffic DNS
servers.

[http://www.vldb.org/conf/2002/S10P03.pdf](http://www.vldb.org/conf/2002/S10P03.pdf)

~~~
mwexler
This is a good choice, thanks for sharing.

------
zimbatm
If you haven't already, I recommend getting one of their probes from the Atlas
program: [https://atlas.ripe.net/landing/get-
involved/](https://atlas.ripe.net/landing/get-involved/)

It's basically a legal botnet where you can participate by installing one of
their probes onto your network. The probe itself is free and you get credits
for running it, which you can use to do network measurements like pings to
various locations.

Did I mention that it's free and really cool?

------
lima
Why not take samples and process that instead? No need to look at all of it.

~~~
makmanalp
I think it depends on how big you think each thing you want to identify is. If
a heavy hitter contains 10% or 50% of traffic, then sampling is absolutely a
great approach. Since we're talking about DNS traffic here (very small
packets), a "significant" increase in queries for one domain could be e.g.
0.01% or less, which could be much easier to miss with sampling.

