Meta4: Analyzing Internet Traffic by Domain Name in the Data Plane

Abstract

Associating network traffic with human-readable domain names, instead of low-level identifiers like IP addresses, is helpful for network operators who might need to rate-limit traffic by domain, conduct web-fingerprinting, identify IoT devices, measure traffic volume by domain name, and more. The problem is that most current methods of network monitoring require collecting and examining large amounts of network traffic in a way that may compromise user privacy. The emergence of high-speed programmable switches makes it possible to implement monitoring programs that run in the data plane at line-rate without revealing user information to network operators. In this paper, we introduce Meta4, a framework for implementing network monitoring by domain name in the data plane by extracting the client IP, server IP, and domain name from DNS response packets and using this information to identify the domain name associated with packets from the subsequent client-server session. A data-plane implementation has the benefits of preserving the privacy of sensitive user information, running efficiently at line-rate, and allowing network operators to take action on network traffic to rate-limit, block, or mark packets based on their associated domain. We implemented Meta4 on a Barefoot Tofino P4-programmable switch and deployed and assessed our implementation on the Princeton University campus.