Submitted by admin on

Collection Period

DITL 2009 took place from March 30 — April 1. We collected for 72 hours this year, whereas in previous years it has been for 48 hours. Initially we planned to collect data only on March 31 and April 1. When we learned that the Conficker worm was scheduled to "wake up" on April 1, we decided to start the collection a day early to get a 24 hour period without Conficker activity. The call for participants is here.

Data Contributors

Contributor Data
Afilias .SE, .ORG, .INFO, AS112
APNIC in-addr.arpa
ARIN in-addr.arpa
ARL H-root
Gigafeed.net AS112
Cogent C-root
CZ.NIC .CZ
ICANN L-root
IIS .SE
ISC F-root, ns-ext.isc.org
LACNIC in-addr.arpa
NaMeX AS112
NASA E-root
Nethelp.no .NO, recursive
NIC Chile .CL
nix.cz AS112
Nominet .UK
Packet Pushers recursive
Registro.BR .BR
RIPE K-root
Switch .CH, .LI, .AR, .PY, .LU, .CAT, .AERO
tix.or.tz AS112
UNINETT .NO
VeriSign A-root
WIDE M-root, AS112

Coverage Maps

Raw Data

Cleaned Data

Data Quality Problems

There is some lost data for A-root on March 30. The ARIN data does not start until 12:00 Noon on April 1. The C-root FRA1B node experienced an outage, but its load was automatically shifted over to the FRA1A node. The F-root PAO1 node collected only DNS responses. Afilias lost some data between 04:00 and 11:40 on March 31, which they replaced from another source. However, this led to the discovery that the data collected with dnscap was at a lower than expected rate. After additional investigation, we concluded that when dnscap was configured to collect from multiple network interfaces, it would sometimes lose packets. Nethelp, SWITCH, and Gigafeed.net also noted that they configured dnscap to collect from multiple interfaces and therefore may have lost some packets.

Access To Data

DNS-OARC members can acess DITL data on the OARC analysis server. Please contact the OARC Admin for more information.