DITL 2009 took place from March 30 — April 1. We collected for 72 hours this year, whereas in previous years it has been for 48 hours.
Initially we planned to collect data only on March 31 and April 1. When we learned that the Conficker worm was scheduled to "wake up" on April 1, we decided to start the collection a day early to get a 24 hour period without Conficker activity.
The call for participants is here
|.SE, .ORG, .INFO, AS112
|.CH, .LI, .AR, .PY, .LU, .CAT, .AERO
Data Quality Problems
There is some lost data for A-root on March 30.
The ARIN data does not start until 12:00 Noon on April 1.
The C-root FRA1B node experienced an outage, but its load was automatically shifted over to the FRA1A node.
The F-root PAO1 node collected only DNS responses.
Afilias lost some data between 04:00 and 11:40 on March 31, which they replaced from another source. However, this led to the discovery that the data collected with dnscap
was at a lower than expected rate. After additional investigation, we concluded that when dnscap
was configured to collect from multiple network interfaces, it would sometimes lose packets.
Nethelp, SWITCH, and Gigafeed.net also noted that they configured dnscap
to collect from multiple interfaces and therefore may have lost some packets.
Access To Data
DNS-OARC members can acess DITL data on the OARC analysis server. Please contact the OARC Admin
for more information.