Next-Generation DNS Monitoring Tools

Similar documents
DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Preetham Mohan Pawar ( )

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

We Know It Before You Do: Predicting Malicious Domains

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

DNS amplification attacks

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

dnsperf DNS Performance Tool Manual

Comprehensive Understanding of Malicious Overlay Networks

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Botnet Detection by Abnormal IRC Traffic Analysis

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Computer Networks: Domain Name System

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

1 DNS Packet Structure

Denial of Service. Tom Chen SMU

Use Domain Name System and IP Version 6

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Large-Scale IP Traceback in High-Speed Internet

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

INFORMATION SECURITY REVIEW

CS 356 Lecture 16 Denial of Service. Spring 2013

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Firewalls and Intrusion Detection

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

DNS and issues in connecting UNINET-ZA to the Internet

Protecting DNS Query Communication against DDoS Attacks

Internetworking with TCP/IP Unit 10. Domain Name System

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

DNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012

DNS Architecture Case Study: Resiliency and Disaster Recovery

Inside the Storm: Protocols and Encryption of the Storm Botnet

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

Data Exfiltration and DNS

Ranch Networks for Hosted Data Centers

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Detecting rogue systems

The Domain Name System

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

Distributed Denial of Service Attack Tools

Multifaceted Approach to Understanding the Botnet Phenomenon

EKT 332/4 COMPUTER NETWORK

How To Classify A Dnet Attack

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

Malicious Payload Distribution Channels in Domain Name System

Detecting Hidden Anomalies in DNS Communication

Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets

Shell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Application-layer protocols

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Introduction to the DANE Protocol

Using Foundstone CookieDigger to Analyze Web Session Management

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

Firewalls, IDS and IPS

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

How To Understand A Network Attack

Conclusions and Future Directions

How to set up the Integrated DNS Server for Inbound Load Balancing

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

The Hillstone and Trend Micro Joint Solution

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Proxies. Chapter 4. Network & Security Gildas Avoine

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

The Domain Name System from a security point of view

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Network Security Monitoring

Lightweight DNS for Multipurpose and Multifunctional Devices

GregSowell.com. Mikrotik Security

Chapter 11 Phase 5: Covering Tracks and Hiding

Threat Events: Software Attacks (cont.)

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Transcription:

Next-Generation DNS Monitoring Tools Cyber Security Division 2012 Principal Investigators Meeting October 9, 2012 Wenke Lee and David Dagon Georgia Institute of Technology wenke@cc.gatech.edu 404-808-5172

Outline DNS and Covert Channels Storage-type DNS Covert Channel Detector Real World DNS Covert Channel Detection Morto DNS Trojan DNS-Based Traceback

Detection of DNS Covert Channels

DNS Resolution Process

DNS Covert Channel Components The Infected host will try to issue DNS requests to the DNS Covert Channel C&C

DNS Covert Channel Components The recursive DNS will facilitate all RFC compliant DNS resolution requests from the stub. This is the monitoring and defense point.

DNS Covert Channel Components The DNS authority will decode the DNS CC request and provide properly encoded C&C messages to the host.

Main Types of DNS Covert Channels Timing DNS Covert Channels Definition: Use timing properties of DNS requests to transmit messages to the C&C. Pros Very stealthy Cons Very low bandwidth DNS caching and C&C protocol problems Can be disturb easily by using pump-like network systems

Main Types of DNS Covert Channels Timing DNS Covert Channels Definition: Use timing properties of DNS requests to transmit messages to the C&C. Pros Very stealthy Cons Very low bandwidth DNS caching and C&C protocol problems Can be disturb easily by using pump-like network systems Storage DNS Covert Channels Definition: Overload the protocol to encapsulate encoded information (e.g., DNS-CC for C&C) Pros High bandwidth Easy to set up Reliable (as part of DNS) Hard to detect Cons Passive DNS traces

Storage DNS-CC: Some Details (Infected) host: Issues queries to domain names under the zone *.61020.pfwhereismyshoe.com DNS Covert Channel C&C (or external DNS authority): The DNS authority acting as DNS-CC C&C sends answers back with encoded (in this case encrypted as well) messages as part of the TXT DNS answer fields

Detection of DNS-CC Monitor DNS traces Measure statistical features according to the passive traces of each DNS zone observed Classify the zones as DNS covert channel candidates

The Statistical Features Given a group of strings s i (i = 1,,n), let the Shannon Entropy of characters in the string be H(s i ), and construct a set with all the H(s i ). Features: the cardinality of the set, the maximum, minimum, average, median, and variance of all H(s i ) values.

Cover-Channel Domain Classifier Classifier: Random Forest True positive rate: 96.52%, false positive rete: 0.57%, using six statistical features

Real-World Evaluation Data 6 days of Full Passive DNS data from the largest USbased ISP Data format: <timestamp, requester, qname, qtype, rdata, ttl> Days: 02/01 09/02 09/13 11/14 11/29 12/30 in 2011

Evaluation Case Study In the news, The Trojan is doing a DNS TXT query to httpdconfig.com every few minutes by using the current UNIX timestamp as subdomain(*unixtimestamp*.httpdsconfig.com). The C&C server replies with a encrypted string (seems to be always the same) http://www.abuse.ch/?p=2740

DNS Covert Channel Protocol If query for <timestamp>.httpxxx.xxx does not resolve, no command is replied. If it resolves, command is replied in the txt field of the DNS packet. 2LD is always changing We found a lot of DNS traffic of this C&C Covert Channel using our detection system. There is also another version of domains - <timestamp>.webxxx.xxx

C&C Covert Channel Zones Detected *.httpany.net *.httpbb.com *.httpbuyonline.net *.http-camerawebsoft.info *.httpcome.net *.httpdedicateserver.eu *.httpdigit.com *.httpdsconfig.com *.httpdump.net *.httpfastinternet.us *.httpfinalpack.us *.httpgo.net *.httphelp.us *.httplime.net *.httploading.com *.httplook.com *.httpmaindns.com *.httpmanagersuit.eu *.httpmyprogramming.net *.httponlinewebsoft.co m *.httppoint.net *.http-primetests.us *.httpput.net *.httpregion.net *.httprsrepoz.com *.httpsatellite.eu *.httpsdata.in *.httpsdsconf.com *.httpsea.com *.http-softlive.info *.httpsquer.com *.httptracking.net *.httpurl.net *.httpv1.com *.httpwebhistorysite.us *.httpwebhost.eu *.httpwebinterface.info *.httpwebmail.us *.http-websignorg.info *.httpwebtech.info *.http-webtesting.us *.httpwebx.info *.httpwebz.info *.httpx4.com *.httpz0.com *.nhttpunique.net

Latest active C&C covert channel *.web-alm.net *.web-antispampc.com *.web-designe.us *.web-flashinfo.com *.web-freesite.com *.web-gamesinfo.us *.web-games.us *.web-htmlinfo.us *.web-mex.com *.web-myprice.us *.web-testhard.us *.web-testkeyboard.eu *.web-testprocessors.us

Status By the end of October 2012, we will deliver A technical report describing the algorithm and features The software DNS-CC Sniffer

DNS-Based Traceback

DNS-Based Traceback Goal: Discover the origin of attacks Central insight: The first N hosts to resolve a domain may have some connection to the domain 21

Approach Outline Only a few tens of thousands of domains are added each day to gtlds like.com; fewer to others DNS monitoring tools can be extended to log IP/src of the first N-queries for a (new) qname Reducing false positives: Multiple domains are often used by a single botnet Higher confidence if first queries to several domains are from the same host/network Partial take-down can force attacker into action more monitoring/analysis opportunities 22

Status By the end of December 2012, we will deliver A technical report describing the algorithm The software prototype of the trace-back system

Credits Manos Antonakakis Yizhen Chen Jorge Villasmil

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information