A DNS Anomaly Detection and Analysis System



Similar documents
Introduction to Network Operating Systems

Computer Networks - CS132/EECS148 - Spring

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Lecture 2 CS An example of a middleware service: DNS Domain Name System

DNS traffic analysis -- Issues of IPv6 and CDN --

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Domain Name System (DNS) RFC 1034 RFC

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Network Fundamentals Carnegie Mellon University

Domain Name System (DNS) Fundamentals

DNS Domain Name System

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Forouzan: Chapter 17. Domain Name System (DNS)

DNS Basics. DNS Basics

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

DNS Resolving using nslookup

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

The Domain Name System (DNS)

Some advanced topics. Karst Koymans. Friday, September 11, 2015

DNS: How it works. DNS: How it works (more or less ) DNS: How it Works. Technical Seminars Spring Paul Semple psemple@rm.

Use Domain Name System and IP Version 6

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

DNS : Domain Name System

1 DNS Packet Structure

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

How-to: DNS Enumeration

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

How To Guide Edge Network Appliance How To Guide:

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Copyright

NET0183 Networks and Communications

The Domain Name System (DNS)

How to Configure the Windows DNS Server

1 Introduction: Network Applications

loss-tolerant and time sensitive loss-intolerant and time sensitive loss-intolerant and time insensitive

Global Server Load Balancing (GSLB) Concepts

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

DNS Best Practices. Mike Jager Network Startup Resource Center

Applications and Services. DNS (Domain Name System)

- Domain Name System -

Domain Name System (DNS)

Internet-Praktikum I Lab 3: DNS

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

How do I get to

DNS Conformance Test Specification For Client

Domain Name System (DNS)

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

DATA COMMUNICATOIN NETWORKING

Understand Names Resolution

DNS: Domain Name System

The Domain Name System

Application Layer -1- Network Tools

Operational Problems in IPv6: Fallback and DNS issues

SME- Mail to SMS & MMS Gateway with NowSMS Quick Start Guide

CS3250 Distributed Systems

Application Protocols in the TCP/IP Reference Model

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Homework 2 assignment for ECE374 Posted: 02/20/15 Due: 02/27/15

Detecting Search Lists in Authoritative DNS

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

The Application Layer. CS158a Chris Pollett May 9, 2007.

The Domain Name System

Achieving Zero Downtime for Apps in SQL Environments

Chapter 23 The Domain Name System (DNS)

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

How to Add Domains and DNS Records

Glossary of Technical Terms Related to IPv6

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

DNS + DHCP. Michael Tsai 2015/04/27

DNS. Spring 2016 CS 438 Staff 1

Domain Name System (or Service) (DNS) Computer Networks Term B10

D. SamKnows Methodology 20 Each deployed Whitebox performs the following tests: Primary measure(s)

Building Nameserver Clusters with Free Software

DNS and Interface User Guide

Introduction to Web Design & Computer Principles CSCI-UA 4. Web Hosting and Domain Names

Transcription:

A DNS Anomaly Detection and Analysis System Hyo-Jeong Shin, KT NANOG 40 June 2007

KORNET DNS system More than 20 cache DNS server farms Each server farm advertises the same IP address using anycast routing Each DNS server farm serves its local POP A central server farm (one of DNS server farms) takes and serves queries for another server farm when the server farm fails

KORNET DNS system DNS server farms advertise two /32 addresses One is primary DNS IP address The other is secondary DNS IP address POP Router POP Router IPS Primary IP Secondary IP L4 DNS servers

Purpose of our systematic approach Ever-increasing number of server farms and servers Difficult to figure out what problems have happened on DNS Manual dump and analysis timeconsuming job Real-time systematic analysis would help Investigate which server farm has problem Investigate the problem instantly

Overall system: overview A central detection system and multiple local analysis systems Currently two local analysis systems have been deployed Central detection system POP router POP router IPS KT s KT s Internet Internet Local analysis system tap L4 DNS servers Local analysis systems

Overall system: functions Local analysis system Captures all packets to/from DNS server farms and inspects their contents with predefined rules Sends analytical results to the central detection system Central detection system Gathers the analytical results from all local analysis systems Detects DNS anomalies

User Interface Past analysis Realtime analysis Past analysis Off-line analysis Local system control Threshold for anomaly detection DNS traffic Captured packets Captured packets Queries/Answers Response ratio Primary/Secondary Response Ratio Cache hit ratio Concurrent users TCP sessions Query types Answer types Anomaly queries Sampling period 1min All local systems download Metric Period hr hr Top-N data Anomaly detection The above chart shows PPS of captured DNS packet.

DNS traffic: Queries/Answers Total DNS packets Number of clients queries/answers Number of recursive queries/answers PPS Total packets queries from clients answers for clients queries recursive queries recursive answers queries answers clients recursive

DNS traffic : Response ratio Ratio of resolved queries = number of answer packets number of query packets % recursive clients Response Ratio for local system 1 % recursive clients Response Ratio for local system 2

DNS traffic : Response ratio of primary/secondary DNS IP Calculate response ratio of primary/secondary DNS IP separately % primary IP secondary IP Response Ratio for local system 1 % primary IP secondary IP Response Ratio for local system 2

DNS traffic : Cache hit ratio % Cache Hit Ratio from local system 1 % Cache Hit Ratio from local system 2

DNS traffic : Concurrent users Count number of source IP s per minute Count number of queries per source IP number of source IP s per minute number of queries per source IP The above chart shows: num of source IP s and num of queries

DNS traffic : TCP sessions Number of TCP sessions per minute Only Query, Time Over, Empty, Normal Number of sessions per minute

DNS traffic: Query types Distribution of query types PPS PPS A, MX, PTR, CNAME, local system 1 PPS local system 2

DNS traffic: Answer types Distribution of answer types No Error, Serv Fail, Name Error, PPS local system 1 PPS local system 2

DNS traffic: Anomaly queries Number of packets which violate the format constraints of DNS header These packets have been generated by malicious users PPS

Top-N data: Source IP Category Source IP s Sampling period 5min Time hr min Row Retrieve accumulated for 5 minutes Rank aa.aa.aa.aa bb.bb.bb.bb cc.cc.cc.cc dd.dd.dd.dd ee.ee.ee.ee ff.ff.ff.ff Counts Ratio Ranking variation New Category Top-N source IP s Top-N source IP s with type A, MX, PTR Top-N source IP s generating anomaly queries

Top-N data: Qname + Source IP Category Loca system 2 Rank Row aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb bbb.bbb.bbb.bbb ccc.ccc.ccc.ccc ccc.ccc.ccc.ccc ddd.ddd.ddd.ddd Retrieve Accumulated for 5 minutes Counts Ratio Ranking variation New New New Category Top-N Qname + source IP's Top-N Qname + source IP s with type A, NS, PTR, ServFail Top-N Black domain + source IP's Top-N Qname + source IP's who generate queries to secondary DNS IP

Top-N data: Qname Category Row Retrieve Loca system 1 Rank Accumulated for 5 minutes Counts Ratio Ranking variation Category Top-N Qname Top-N Qname with type A, MX, PTR, ServFail, NamErr Top-N Recursive Qname

Top-N DNS server Top-N DNS server Count queries to authoritative DNS servers which serve recursive queries Accumulated for 5 minutes Category Counts PPS % root only J-root 19,304 64.3 1.71% 50% Root F-root 8,014 26.7 0.71% 21% server M-root 2,799 9.3 0.25% 7% Other root 8,650 28.8 0.77% 22% gtld server 116,425 388.1 10.32% kr server 13,237 44.1 1.17% others 959,586 3,198.60 85.07% Total 1,128,015 3,760.10 100%

Top-N TLD, SLD/3LD Top-N TLD Top-N SLD/3LD Accumulated for 5 minutes rank DOMAIN counts PPS ratio ranking variation 1 com 2,732,130 9,107.10 44.3 0 2 kr 1,330,693 4,435.60 21.58 0 3 net 900,962 3,003.20 14.61 0 4 gov 335,277 1,117.60 5.44 0 5 org 178,693 595.6 2.9 0 Accumulated for 5 minutes rank DOMAIN counts PPS ratio ranking variation 1 naver.com 459,799 1,532.70 7.48 0 2 nate.com 351,624 1,172.10 5.72 0 3 nist.gov 333,805 1,112.70 5.43 0 4 kornet.net 179,113 597 2.92 0 5 daum.net 150,804 502.7 2.45 0 6 mk.co.kr 125,271 417.6 2.04 0 7 nasads.com 82,771 275.9 1.35 1 8 hanmail.net 76,573 255.2 1.25-1 9 iveconmiga.info 65,856 219.5 1.07 0 10 msnplus.co.kr 65,174 217.2 1.06 0

Anomaly detection logic Based upon the variation ratio of DNS traffic Basic ideas on detection formula Use the collected parameters of DNS traffic Keep the limited history of values on each parameter Put more weights on recent data Rely on the threshold value to make decision When anomaly detected Check the details on who or what incurred problems with Top-N data page

Indicators of anomaly Increase in number of DNS packets Increase in number of queries to DNS server farm s secondary IP address Decrease in cache hit ratio Increase in average DNS queries of individual source IP addresses Increase in number of recursive queries Increase in number of TCP sessions Increase in number of source IP addresses within a limited time slot Decrease in ratio of resolved queries Variation of query types cf. decrease in ratio of type A Variation of answer types cf. decrease in type No Error

An example of Anomaly detection Local system 2 Time packet counts secondary/primary cache hit ratio clients queries recursive queries TCP sessions concurrent users Qtype A Rcode Noerror Threshold (%) Warning level: green-yellow-orange-red Red means the situation is critical Second row shows threshold values between warning levels

Case of utilizing the system(1) Detected unexpected increase on MX queries In Feb, 2007 Response ratio was just 10% or higher Most of clients queries are dropped Then we need to know what queries they are who generates what query types Multiple source IP addresses kept generating MX queries Blocked the traffic from the KORNET to the infecting system

Case of utilizing the system(2) Detected tons of queries on time.nist.gov In March, 2007 The amount of DNS queries had been doubled or tripled at all DNS server farms Then we need to know What queries they are More than 60% of queries were on nist.time.gov Who generates They were generated from some home gateways Investigated why the home gateways had generated the queries and advised the company to patch their firmware

On-going plan of this year Install another local analysis systems to cover all DNS server farms of KORNET Improve the anomaly detection logic