A Centralized Monitoring Infrastructure For Improving DNS Security - - PowerPoint PPT Presentation

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

A Centralized Monitoring Infrastructure For Improving DNS Security

Manos Antonakakis David Dagon Luo “Daniel” Xiapu Roberto Perdisci Wenke Lee Justin Bellmor

Georgia Institute of Technology Information Security Center Atlanta, Georgia

RAID, Ottawa, 2010

1 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Outline and Credits

Challenges in DNS poisoning detection Previous work Describing the attack vector Methodology DNS poisoning detection Summary Robert Edmonds and Paul Royal for their useful comments Chis Lee and the GT-OIT stuff for the abuse handling SIE@ISC: Paul and Eric scan point (SJ) and pDNS CIRA: Norm and Matthew scan point in Canada

2 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

3 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

4 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

5 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

6 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

7 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

8 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

9 / 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?

Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques

10/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

A Monitoring Infrastructure For DNS Security

What “Anax” does: requests, records and analyzes DNS records from a large set of open-RDNS around the globe, looking for DNS cache abnormalities Since Anax can detect poisonous RRs in Internet scale measurements, the system can do the same in a less diverse set of RDNSs, e.g., those in a single organization

11/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

A Monitoring Infrastructure For DNS Security

What “Anax” does: requests, records and analyzes DNS records from a large set of open-RDNS around the globe, looking for DNS cache abnormalities Since Anax can detect poisonous RRs in Internet scale measurements, the system can do the same in a less diverse set of RDNSs, e.g., those in a single organization

12/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

13/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

14/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

15/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

16/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

17/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Some of the previous work ...

DNS Recursive Resolution plane: Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy: Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities: Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009

18/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poisoning

Understanding the attack vector

19/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poisoning

How DNS works?

20/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poisoning

Basic DNS Poisoning

Recursive request qname, it must wait RTT period Before answer returns from the SOA, attacker can flood poisonous answers

Each spoofed answer attempts another ID field guess If 200ms RTT, ≈ 13,000 spoofed packets can be sent ID field is 16 bits, or 65K values

Besides ID field, other entropy should be used (SPR-0x20)

21/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poisoning

Kaminsky Class of DNS Poisoning

22/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

Methodology

23/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

The Big Picture

!"#$%&' %"("$)*++,-(*.

!"# !$# !%#

&'()(*+,,-,.) /0-,12

!3# 4,+5)/0-20,-,.)&616*1-0,)(72168

%&'$ '-"//0/1$ 2/10/,

!9#

3/"4$%"("$ 5.,6"."(0*/$ 2/10/, :;;<=>'?)@0A6)BCD+-,-,.E 3/"4$ 5*07*/0/1$ %,(,-(0*/$ 2/10/, 3/"4$%8 :'<=>'?))@0A6

/0-20,-,. 4F6D1

!G#

9 9 9

H H H

24/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

Scanning Protocol

!"#$%&#'()*+,#%

• ./

0$123*%-./% /'1$$+$4%56+$7 %0./%86)%#219":#;'69 !"#"$%&'()$*+,' !"#"$%&'()$*+,' $%&'()$*+,'"-." !"/01*2*31*/2 $%&'()$*+,'"-." !"/01*2*31*/2

Probing Protocol

1x A ? control_case.com 1x A ? <rand>.control_case.com 2x A ? example.com 1x A ? <rand>.example.com 3x {NS,MX,4A} ? example.com

IPs will be used for Anax detection system, the remaining RDATA for manual labeling and temporal measurements

25/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

Scanning Engine and Data Collection

Scan Engine

Open-recursive DNS servers Selection (300,000) Domain name lists (131 unique 2LDs based on top Alexa zones) Constant eight-months ORDNS (rotating) probing from two scanning points

2+6 total queries per ORDNS What we collect in the “Raw Data Collector”

RDNS-DATE-DN | DN-IP mappings from all recorded RRs RDNS-DATE-DN | DN-RDATA mappings from all recorded RRs

26/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

Scanning Engine and Data Collection

Scan Engine

Open-recursive DNS servers Selection (300,000) Domain name lists (131 unique 2LDs based on top Alexa zones) Constant eight-months ORDNS (rotating) probing from two scanning points

2+6 total queries per ORDNS What we collect in the “Raw Data Collector”

RDNS-DATE-DN | DN-IP mappings from all recorded RRs RDNS-DATE-DN | DN-RDATA mappings from all recorded RRs

27/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

ORDNS Selection

CC #ORDNS #ASs #CIDRs US 116213 3785 14340 CN 34778 90 2574 JP 20147 329 1760 NL 17651 172 483 FR 16261 164 482 KR 14822 326 1316 IT 12824 204 569 GB 9587 414 952 DE 9441 408 818 SE 9119 113 355

A summary of the diverse scanning targets. The table shows the top 10 countries in ORDNS participation through our scanning list, as well as the network diversity for each ORDNS (per country code) down to the ASs and CIDRs granularity.

28/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

New RRs During Scanning (agile/CDN enabled zones)

0.8 0.82 0.84 0.86 0.88 0.9 0.92 0.94 0.96 0.98 1 10 20 30 40 50 60 70 80 90 100 CDF Days bestbuy.com amazon.com blogger.com ebay.com 10 20 30 40 50 60 70 80 90 100 50 100 150 200 250 Volume Days 29/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions ORDNS Network and Geographic Location RR Discovery Trends

New RRs During Scanning (less diverse zones)

0.8 0.82 0.84 0.86 0.88 0.9 0.92 0.94 0.96 0.98 1 10 20 30 40 50 60 70 80 CDF Days capitalone.com chase.com citibank.com fedex.com 10 20 30 40 50 60 70 80 50 100 150 200 250 Volume Days 30/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

DNS Poisoning Detection

31/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

Detection Flow in Anax - CIDR Analysis Module

!"#$"%#%&' ()*+, !"#$%&'( )*+, !"

• -./0

$1!-#)*+23/4/ 56782& )*+,#9:$2+// $2+//4;&< !"#$"%#%&' =6#:#>?@ABA9C D&/ =6 =6E#4*## )*+,#!" !"#$"%#%&' D&/#:#>?FC >?GC#:# H*(*6I*

32/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

CIDR Analysis Module

CIDR white list (L0)

Probe ORDNS from major ISPs in US Hand verify the RRsets and IPs from the answers White list the min CIDR per any legit IP

Mis-configurations (L1), NX-RW (L2), DNS-proxy (L2)

Probe from a Domain Name we control Any ORDNs giving back wrong answers is marked as:

Mis-Configuration iff IP in RFCs 1918 and 3330 DNS-Proxy iff fpdns denotes that (i.e., Vermicelli totd , TinyDNS, etc.) NX-Domain RW iff they provide answers to non-existence domains

Poisoning: IP in BLs or manual verification (L3)

The Team Cymru Bogons (do-not-route) list Spamhaus drop.lasso or PBL list

33/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

Detection flow in Anax - The 2-Class Classifier

!"#$"%#%&' ()*+, !"#$%&'( )*+, !"

• -./0

$1!-#)*+23/4/ 56782& )*+,#9:$2+// $2+//4;&< !"#$"%#%&' =6#:#>?@ABA9C D&/ =6 =6E#4*## )*+,#!" !"#$"%#%&' D&/#:#>?FC >?GC#:# H*(*6I*

34/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

2-Class Classifier

Key goal: try to model known benign vectors Access SIE passive DNS feed so we can compute the following statistical feature vector (6 dimensions):

Domain name diversity {2,3}LD diversity CDN occurrence Domain of interest participation (i.e., google.com) Special domain of interest participation (i.e., google)

35/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

Experimental Setup

Data collection for 8 months based on the scanning protocol Two first months (01/2009 and 02/2009) training dataset Six months (03/2009 - 08/2009) for testing dataset Hand verification of 1264 RRs (319 poisonous) Evaluation of Anax classifier in two modes: Standalone and in-line with the CIDR module After model selection we used IBK as the 2-Class Anax classifier

36/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

ROC for Poisoning Detection in Anax

FP%= 0.6% and TP%= 91.9%

0.8 0.82 0.84 0.86 0.88 0.9 0.92 0.94 0.96 0.98 1 0.05 0.1 0.15 0.2 True Positive Rate False Positive Rate Poison [with CIDR Module] Poison [without CIDR Module] 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 0.2 0.3 0.4 0.5 0.6 Precision Threshold

The FPrate and TPrate are not packet rates but RR rates. Ebay had 137 unique RRs in 8 months. During that period less than one RR would be misclassified by Anax.

37/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

Domain Name NS Date amazon.com

hu-bud02a-dhcp09-main.chello.hu 2009-07-26 07:39:05

amazon.com ns1.m1be.com

2009-03-19 10:36:58

americanexpress.com c.exam-ple.com

2009-03-20 14:15:44

americanexpress.com d.exam-ple.com

2009-05-05 20:30:47

bankofamerica.com 209.59.194.246

2009-06-18 00:44:10

bankofamerica.com 209.59.195.246

2009-06-18 00:44:10

capitalone.com ns2.ram-host.com

2009-08-06 14:08:51

att.com ns.kins.co.kr

2009-02-21 17:02:03 38/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions DNS Poison Detection Modules Detection Results Poisoning Anecdotes?

Domain Name IPs Owner yahoo.com 209.130.36.159

NTT-COMMUNICATIONS

amazon.com 216.52.102.86

INTERNAP-2BLK

ebay.com 65.254.254.51

BIZLAND-SD

americanexpress.com 189.38.88.129

CYBERWEB NETWORKS

google.com 85.10.198.253

HETZNER-AS

visa.com 61.207.9.4

OCN NTT

microsoft.com 205.178.145.65

Network Solutions

google.com 65.98.8.192

FORTRESSITX 39/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Conclusions

DNS Poisoning is a successful attack vector. Ignoring it will not make it go away. Poisoning cases “in-the-wild” urges for faster deployment of DNSSEC Anax provides “Poison ex machina” using probes of ORDNSs caches - placing you “on path” with the ORDNS IP/DNS RRset reputation holds a stronger signal than

• RTTs. RTT might be more useful in “cloud based

poisoning” detection Alternative uses of Anax: Mass scanning (Conficker, Win-SPR patch deployment, “Internet/DNS CDC”)

40/ 41

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions

Thank you for your time!

41/ 41