Abstract: Concepts and technologies for detecting and blocking Domain Name System (“DNS”) cache poisoning attacks are provided. An inline detector and blocker apparatus implements a detection algorithm to monitor DNS response packets and detects a DNS cache poisoning attack utilizing the detection algorithm. The inline detector and blocker apparatus detects the DNS cache poisoning attack by receiving a DNS response packet and determining that the response packet includes poison data. The poison data may be included within an additional section of the response packet and/or an answer section of the response packet. As appropriate, the inline detector and blocker apparatus removes the additional section and/or the answer section of the response packet to effectively block the poison data from being cached by a DNS caching resolver.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.

Abstract: An authoritative domain name system server includes a memory configured to store a set of instructions, and a processor configured to execute the set of instructions. The processor obtains a first Internet Protocol address of a client system associated with a request for a domain name, and assigns a location of the authoritative domain name system server as an ingress region. The processor assigns the egress override as an egress region when the first Internet Protocol address matches the prefix of the egress override, otherwise obtains an egress table, determines a longest prefix match of the first Internet Protocol address, obtains a distance matrix for distances from the ingress location to a plurality of egress regions, and selects the egress region based on the distance matrix and the longest prefix match in the egress table.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: Concepts and technologies for detecting and blocking Domain Name System (“DNS”) cache poisoning attacks are provided. An inline detector and blocker apparatus implements a detection algorithm to monitor DNS response packets and detects a DNS cache poisoning attack utilizing the detection algorithm. The inline detector and blocker apparatus detects the DNS cache poisoning attack by receiving a DNS response packet and determining that the response packet includes poison data. The poison data may be included within an additional section of the response packet and/or an answer section of the response packet. As appropriate, the inline detector and blocker apparatus removes the additional section and/or the answer section of the response packet to effectively block the poison data from being cached by a DNS caching resolver.

Abstract: A method includes receiving at a cache server a content request from a client system, determining that the cache server is overloaded in response to receiving the content request, and in response to determining that the cache server is overloaded, returning to the client system a domain redirection response including a load status of the cache server.

Abstract: A method and apparatus for detecting compromised host computers (e.g., Bots) are disclosed. For example, the method identifies a plurality of suspicious hosts. Once identified, the method analyzes network traffic of the plurality suspicious hosts to identify a plurality suspicious hub-servers. The method then classifies the plurality of candidate Bots into at least one group. The method then identifies members of each of the at least one group that are connected to a same controller from the plurality suspicious controllers, where the members are identified to be part of a Botnet.

Abstract: Disclosed example methods include receiving in a gateway a request to connect to a domain name from a client coupled to the gateway, selecting a first domain name system server corresponding to the domain name based on a rule linking the first domain name system server to the domain name, adding location information to the request in the gateway, the location information to be used by the first domain name system server to select a second domain name system server associated with the domain name, and transmitting the request including the location information to the selected first domain name system server.

Abstract: A content delivery system includes an analyzer module, a content request data collection module, and a domain name server. The collection module receives request sent to a tracking address, collects information about the request, and provides the information to the analyzer. The server receives an address request from a local domain name server associated with an autonomous system for the cache server address, provides the tracking address to the local server because the local server is associated with the second autonomous system, collects address request information about the address, and provides the address request information to the analyzer module. The analyzer module receives the address request and content request information, and determines information about clients served by the autonomous system based on the address request and content request information.

Abstract: An authoritative domain name system server includes a memory configured to store a set of instructions, and a processor configured to execute the set of instructions. The processor obtains a first Internet Protocol address of a client system associated with a request for a domain name, and assigns a location of the authoritative domain name system server as an ingress region. The processor assigns the egress override as an egress region when the first Internet Protocol address matches the prefix of the egress override, otherwise obtains an egress table, determines a longest prefix match of the first Internet Protocol address, obtains a distance matrix for distances from the ingress location to a plurality of egress regions, and selects the egress region based on the distance matrix and the longest prefix match in the egress table.

Abstract: A content delivery system includes an analyzer module, a content request data collection module, and a domain name server. The collection module receives request sent to a tracking address, collects information about the request, and provides the information to the analyzer. The server receives an address request from a local domain name server associated with an autonomous system for the cache server address, provides the tracking address to the local server because the local server is associated with the second autonomous system, collects address request information about the address, and provides the address request information to the analyzer module. The analyzer module receives the address request and content request information, and determines information about clients served by the autonomous system based on the address request and content request information.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: Methods and apparatus to transmit a request to a server via domain name system forwarding are disclosed. A disclosed example method includes receiving in a gateway a request to connect to a domain name from a client coupled to the gateway, selecting a first domain name system server corresponding to the domain name based on a rule linking the first domain name system server to the domain name, adding location information to the request in the gateway, the location information to be used by the first domain name system server to select a second domain name system server associated with the domain name, and transmitting the request including the location information to the selected first domain name system server.

Abstract: A system includes an analyzer module, a content request data collection module, and a domain name server. The content request data collection module is configured to receive a content request sent to a tracking address, collect content request information about the content request, and provide the content request information to the analyzer module. The domain name server is configured to receive an address request from a local domain name server for a cache server address, provide a tracking address to the local domain name server, collect address request information about the address request, and provide the address request information to the analyzer module. The analyzer module is configured to receive the address request information and the content request information, and determine properties of clients served by the local domain name server based on the address request information and the content request information.

Abstract: A system includes a monitoring module, a request allocation module, and a request distribution module. The monitoring module is configured to determine a resource utilization of a preferred server and a non-preferred server. The request allocation module is configured to modify an allocation scheme in response to the resource utilization of the preferred server and the non-preferred server. The request distribution module is configured to distribute a plurality of requests from a plurality of users according to the allocation scheme.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.

Abstract: A system and method for detecting Email spammers from unknown SMTP Clients using the unknown SMTP Client's SMTP traffic information e.g. byte size and variability data. The system and method includes a byte size and variability traffic flow model and a classification system. The traffic flow model may be based upon a standard deviation of byte size and variability of traffic flows for a plurality of legitimate SMTP Clients and for a plurality of Spammer SMTP Clients. The classification system then classifies an Unknown SMTP Client as an Email Spammer based on a comparison between the byte size and the variability of the Unknown SMTP Client's traffic flows with the byte size and variability traffic flow model.

Abstract: A system includes a monitoring module, a request allocation module, and a request distribution module. The monitoring module is configured to determine a resource utilization of a preferred server and a non-preferred server. The request allocation module is configured to modify an allocation scheme in response to the resource utilization of the preferred server and the non-preferred server. The request distribution module is configured to distribute a plurality of requests from a plurality of users according to the allocation scheme.

Abstract: A method and apparatus for detecting compromised host computers (e.g., Bots) are disclosed. For example, the method identifies a plurality of suspicious hosts. Once identified, the method analyzes network traffic of the plurality suspicious hosts to identify a plurality suspicious hub-servers. The method then classifies the plurality of candidate Bots into at least one group. The method then identifies members of each of the at least one group that are connected to a same controller from the plurality suspicious controllers, where the members are identified to be part of a Botnet.