current issues of malicious domains blocking
play

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, - PowerPoint PPT Presentation

Nov 04, 2023 •229 likes •427 views

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin Latovika, Martin Hork and Tom Plesnk Introduction Malicious Domains Attackers may register their own domains May host phishing

  1. CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav Špaček Martin Laštovička, Martin Horák and Tomáš Plesník

  2. Introduction Malicious Domains Attackers may register their own domains May host phishing websites or distribute malware Using the DNS provides attackers with: Trustworthy links A way to avoid IP firewalls DNS Firewall A "clever" resolver Checks its domain blacklist before forwarding DNS query Current Issues of Malicious Domains Blocking Page 2 / 19

  3. Basic DNS FW Model Current Issues of Malicious Domains Blocking Page 3 / 19

  4. Technology DNS Response Policy Zones The only open standard for DNS Fireall up-to-date Integrated into BIND and Windows Server 2016 Provides only the resolver-side support Proprietary Technologies Commercial application of the DNS Firewall, often as a service A lot of providers – Infoblox, FarsightSecurity, SpamHaus Current Issues of Malicious Domains Blocking Page 4 / 19

  5. CSIRT Requirements 1. Functions Integration 2. Logging 3. Blacklist Sharing 4. User Education Current Issues of Malicious Domains Blocking Page 5 / 19

  6. CSIRT Requirements – Integration 1. Functions Integration Manage the DNS FW operation through a GUI Integrate the GUI along other cybersecurity tools Current Issues of Malicious Domains Blocking Page 6 / 19

  7. CSIRT Requirements – Logging 2. Logging User Data Generated as the DNS queries hit the DNS FW blacklist Analysis may point incident handlers to an infected device Management Data Generated as incident handlers manage the DNS FW Allows keeping track of blacklist history Current Issues of Malicious Domains Blocking Page 7 / 19

  8. CSIRT Requirements – Sharing 3. Blacklist Sharing Blocking a domain after or during an attack may be too late Sharing blacklists between CSIRTs and other institutions allows for proactive domain blocking Current Issues of Malicious Domains Blocking Page 8 / 19

  9. CSIRT Requirements – Education 4. User Education The DNS FW may redirect the connections instead of blocking them User is redirected on a safe landing page with the details about the incident It is a direct and immediate way to tell the user what just happened Current Issues of Malicious Domains Blocking Page 9 / 19

  10. Advanced DNS FW Model Current Issues of Malicious Domains Blocking Page 10 / 19

  11. Implementation Based on the DNS Response Policy Zones standard Contains other modules to meet the CSIRT requirements Integration - GUI in the currently used incident handling software Logging - database backend with a visualization plugin Sharing - supported by the DNS RPZ itself Education - landing page with a report form Several open issues prevent implementing the "ideal" model Current Issues of Malicious Domains Blocking Page 11 / 19

  12. Open Issues Transition to HTTPs Blacklist Sharing Few Open Implementations Easy to Bypass Current Issues of Malicious Domains Blocking Page 12 / 19

  13. Open Issues Transition to HTTPs Certificate check of the browser makes redirection impossible Breaks the direct way to inform the user about the incident Users can be contacted outside of the DNS Firewall Current Issues of Malicious Domains Blocking Page 13 / 19

  14. Open Issues Blacklist Sharing Issue with the blacklist trustworthiness Blacklisting a harmless domain may cause severe disruption of institution’s services A serious issue if the feedback from users is not possible Current Issues of Malicious Domains Blocking Page 14 / 19

  15. Open Issues Few Open Implementations The DNS Response Policy Zones is the only open standard Every institution has to develop its own service backend Current Issues of Malicious Domains Blocking Page 15 / 19

  16. Open Issues Easy to Bypass The DNS resolver is easy to change in open network More significant issue if the firewall is used to enforce a policy In some cases may be mitigated by exerting more control over the network Current Issues of Malicious Domains Blocking Page 16 / 19

  17. Current Results DNS Firewall is active on a campus network with around 43 000 devices The blacklist contains 135 domains manually added and known to be malicious Since November 2018, 10 230 incidents were detected, originating from 507 unique devices Current Issues of Malicious Domains Blocking Page 17 / 19

  18. Summary Our testing shows that DNS firewall is a concept that covers another possible hole in the security of a private network There exists at least one open source technology for DNS FW implementation - DNS RPZ The technology allows implementing the DNS FW itself, but cannot satisfy all the CSIRT requirements yet Integration Logging Sharing Education Current Issues of Malicious Domains Blocking Page 18 / 19

  19. THANK YOU FOR YOUR ATTENTION Stanislav Špaček csirt.muni.cz @csirtmu spaceks@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster (Gatech) , Ramakant Pandrangi (Verisign, Inc.) Motivation DNS: A Critical Internet Service A distributed database mapping host names to IPs Most

377 views • 16 slides
Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 ,

Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 ,

Window blocking issues and maximum blocking time Delay Aware Packet Scheduling Conclusion Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 , 2 , Golam SARWAR 2 , Emmanuel LOCHIN 1 , Roksana BORELI

555 views • 13 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project

Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project 1 Outline Crash course on Tor Goals for blocking resistance Assumptions (threat model) What Tor offers now Current proxy

1.07k views • 70 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Why blocking? What is blocking? Blocking in

626 views • 14 slides
Current Trends and Issues in Current Trends and Issues in Public Warning Public Warning

Current Trends and Issues in Current Trends and Issues in Public Warning Public Warning

I nternational Telecom m unication Union ITU-T Keynote Address Geneva, 19 Oct 2006 Current Trends and Issues in Current Trends and Issues in Public Warning Public Warning Activities in the Private S ector Tony Rutkowski, VeriS ign VP

579 views • 13 slides
Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

ST 516 Experimental Statistics for Engineers II Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs under homogeneous conditions; e.g. raw material comes in limited batches; we want to carry out runs

487 views • 23 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Implementing blocking Using vmc blocking

210 views • 8 slides
New Top-Level-Domains Regulatory issues, dispute resolution and rights protection Dr. Tobias

New Top-Level-Domains Regulatory issues, dispute resolution and rights protection Dr. Tobias

New Top-Level-Domains Regulatory issues, dispute resolution and rights protection Dr. Tobias Mahler Norwegian Research Center for Computers and Law, University of Oslo 1 Agenda The new gTLD program Internet Governance & regulatory

696 views • 31 slides
Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1 , Cristian Grecu 2 , Lorena Anghel 1 1 TIMA Laboratory, CNRS-UJF-INP, Grenoble, France 2 SoC Laboratory, University of British Columbia, Vancouver,

700 views • 23 slides
A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in

A Bestiary of Ugly Malware A non-scientific survey of current day malicious software, as seen in the wild Marion Marschalek | marion@0x1338.at | @pinkflawd Software that steals your data Software that destroys your data Software that abuses

472 views • 23 slides
plants. 1 Outline Current Issues Explanation of MMS and What it measures MMS

plants. 1 Outline Current Issues Explanation of MMS and What it measures MMS

plants. 1 Outline Current Issues Explanation of MMS and What it measures MMS locations Benefits Users experience and results 2 Current Issues Fluctuations in moisture unknown throughout the day QC tech does not

704 views • 9 slides
Special Educa,on 1 Agenda 1) Current Issues and Challenges about Special Educa,on 2) Current

Special Educa,on 1 Agenda 1) Current Issues and Challenges about Special Educa,on 2) Current

Special Educa,on 1 Agenda 1) Current Issues and Challenges about Special Educa,on 2) Current Strategies to Address Issues and Challenges 3) A Path Forward 2 Introduc,on LAUSD serves one of the largest popula,ons of students with

243 views • 20 slides
R. Machleidt University of Idaho Current status & current issues How to address the open

R. Machleidt University of Idaho Current status & current issues How to address the open

2017 ICNT Program at FRIB, FRIB-MSU, East Lansing, Michigan, March 22 April 12, 2017 R. Machleidt University of Idaho Current status & current issues How to address the open issues? Consistent interactions up to N4LO Keeping

746 views • 55 slides
Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of

Domains of Warfare Space Sp ace Cybe Cy ber- Air ir Sp Space ace Five Fi Domains of Doma of Warfar are Lan and Se Sea Joint M ultinational Combined Arms Live-Fire Exercise Camp Grayling-Alpena CRTC 2010-2018 NORTHERN

310 views • 4 slides
Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1

Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1

Facial Recognition Soren Frederiksen VP of Innovation Lab 2019 Ensuring safer tomorrows 1 Who am I Soren Frederiksen VP of Innovation Lab Electrical Engineer from Denmark 30 year developing software Neural Networks

316 views • 21 slides
Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Background A Poll Results Overview A Peek Into Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A. Gonczarowski The Hebrew University of Jerusalem Microsoft Research July 29, 2014 Proc. of the 15 th ACM

1.42k views • 129 slides
Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me

Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me

Malicious Domain Name Detection System By Auke Zwaan DNS DNS DNS Give me google. gle.nl nl DNS Give me google. gle.nl nl Okay. 64.233. 4.233.166.9 66.94 Research Question Is it possible to detect ma malic iciou ious do domain

455 views • 45 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor entrance & exit. Real-time indoor & outdoor tracking of visitors. SMS, screen pop up & email alerts. Alerts if a visitor strays from

382 views • 12 slides
Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman: Prof. Dr. Martin Wenz General Reporter: Andrs Bez Blacklisting Aim Protection of national tax base and tax revenue against Distortions

439 views • 14 slides
Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL

Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL

Counterfeit ICT Devices, Conformance and Interoperability Testing Challenges in Africa Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL SYSTEM TO COMBAT COUNTERFEIT DEVICES WEST AFRICA REGIOTO

474 views • 26 slides
FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head

FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head

FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head of International Relations Department Public Procurement Authority Content Introduction Turkish Public Procurement System Legislative

1.18k views • 22 slides

More recommend