detection and mitigation of fast flux service networks
play

Detection and Mitigation of Fast-Flux Service Networks Thorsten - PowerPoint PPT Presentation

Dec 22, 2023 •198 likes •634 views

Detection and Mitigation of Fast-Flux Service Networks Thorsten Holz, Christian Gorecki, Felix Freiling, Konrad Rieck Pi1 - Laboratory for Dependable Distributed Systems Motivation Yesterday: presentation by Dagon Corrupt DNS

  1. Detection and Mitigation of Fast-Flux Service Networks Thorsten Holz, Christian Gorecki, Felix Freiling, Konrad Rieck Pi1 - Laboratory for Dependable Distributed Systems

  2. Motivation • Yesterday: presentation by Dagon • “Corrupt DNS Resolution Paths” • Today: How attackers use DNS for malicious purposes, e.g., scam hosting UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  3. Motivation • Yesterday: presentation by Dagon • “Corrupt DNS Resolution Paths” • Today: How attackers use DNS for malicious purposes, e.g., scam hosting $ dig isoc.org ;; ANSWER SECTION: isoc.org. 38679 IN A 206.131.241.137 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  4. Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A 125.59.103.156 dadusual.com. 300 IN A 218.254.9.205 dadusual.com. 300 IN A 62.65.233.109 dadusual.com. 300 IN A 76.181.194.207 dadusual.com. 300 IN A 77.41.18.139 dadusual.com. 300 IN A 78.84.69.132 dadusual.com. 300 IN A 78.106.115.147 dadusual.com. 300 IN A 78.106.180.151 dadusual.com. 300 IN A 78.106.200.47 dadusual.com. 300 IN A 78.106.224.174 dadusual.com. 300 IN A 79.120.43.191 dadusual.com. 300 IN A 80.222.32.58 dadusual.com. 300 IN A 84.62.186.63 dadusual.com. 300 IN A 85.177.42.179 dadusual.com. 300 IN A 85.181.225.55 dadusual.com. 300 IN A 89.112.4.172 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  5. Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A 125.59.103.156 cm125-59-103-156.hkcable.com.hk. dadusual.com. 300 IN A 218.254.9.205 cm218-254-9-205.hkcable.com.hk. dadusual.com. 300 IN A 62.65.233.109 pc109.host41.starman.ee. dadusual.com. 300 IN A 76.181.194.207 cpe-76-181-194-207.columbus.res.rr.com. dadusual.com. 300 IN A 77.41.18.139 host-77-41-18-139.qwerty.ru. dadusual.com. 300 IN A 78.84.69.132 dadusual.com. 300 IN A 78.106.115.147 dadusual.com. 300 IN A 78.106.180.151 dadusual.com. 300 IN A 78.106.200.47 dadusual.com. 300 IN A 78.106.224.174 dadusual.com. 300 IN A 79.120.43.191 dadusual.com. 300 IN A 80.222.32.58 dadusual.com. 300 IN A 84.62.186.63 dadusual.com. 300 IN A 85.177.42.179 dadusual.com. 300 IN A 85.181.225.55 dadusual.com. 300 IN A 89.112.4.172 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  6. Motivation UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  7. Outline • Introduction • Automated identification fast-flux domains • Measurement results • Two month period in July / August 2007 • Mitigation (briefly) • Conclusion UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  8. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems • Methods using DNS • Round-robin DNS • Content distribution networks (CDNs) UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  9. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 • Content distribution networks (CDNs) myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  10. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3409 IN A 216.178.38.116 myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 • Content distribution networks (CDNs) myspace.com. 3409 IN A 216.178.38.121 myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  11. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com $ dig myspace.com $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: ;; ANSWER SECTION: ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.116 myspace.com. 3408 IN A 216.178.38.121 myspace.com. 3409 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 myspace.com. 3408 IN A 216.178.38.116 • Content distribution networks (CDNs) myspace.com. 3408 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.121 myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  12. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems • Methods using DNS • Round-robin DNS • Content distribution networks (CDNs) UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  13. Introduction • Note: illegal commercial organizations also need high availability • Scammer only earns money if pharmacy shop is online • Phisher needs to have phishing site online • Our starting point: • How do attackers achieve high availability? UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  14. FFSNs • If scammers could advertise multiple IP addresses for a given domain, shutdown would be harder • Botherder could use idea behind RRDNS to split botnet across multiple C&C server • Technique used: Fast-flux service networks • Fast change in DNS answers • Recent paper by Honeynet Project UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  15. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  16. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A 69.183.26.53 thearmynext.info. 600 IN A 76.205.234.131 thearmynext.info. 600 IN A 85.177.96.105 thearmynext.info. 600 IN A 217.129.178.138 thearmynext.info. 600 IN A 24.98.252.230 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  17. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A 69.183.26.53 thearmynext.info. 600 IN A 76.205.234.131 thearmynext.info. 600 IN A 85.177.96.105 thearmynext.info. 600 IN A 217.129.178.138 thearmynext.info. 600 IN A 24.98.252.230 ;; ANSWER SECTION: thearmynext.info. 600 IN A 213.47.148.82 thearmynext.info. 600 IN A 213.91.251.16 thearmynext.info. 600 IN A 69.183.207.99 thearmynext.info. 600 IN A 91.148.168.92 thearmynext.info. 600 IN A 195.38.60.79 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

Universit` a degli Studi di Milano Facolt` a di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari, Lorenzo

741 views • 35 slides
Think You Know Fast-Flux Domains? Think Again. New

Think You Know Fast-Flux Domains? Think Again. New

Think You Know Fast-Flux Domains? Think Again. New Trends in Fast-Flux Domains Wei Xu, Xinran Wang Palo Alto Networks What we used

453 views • 23 slides
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal Avoid detection and take down of web sites used for illegal purposes Technique Host illegal content at many sites Rapidly

617 views • 19 slides
Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025

Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025

Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025 Fast Flux Hosting and DNS Characterizes Fast Flux (FF) as an evasion technique that enables cybercriminals to extend lifetime of compromised hosts

447 views • 19 slides
Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux Laboratory? ! ! The Flux Box holds the archives of many years of Flux creations and Flux Laboratory is a pluridisciplinary space, based in both

262 views • 11 slides
Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Methods for Prevention, Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition: RFC 7908) K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky IDR Working Group Meeting,

244 views • 9 slides
Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service

Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service

Building Smart Broadband Networks TM Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service Requirements IPTV Network Design Fast Reroute / Convergence Solutions - MPLS FRR - IGP Fast Convergence -

241 views • 21 slides
Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politcnica de Catalunya (UPC) Ashish Jain - (Guavus) TNC, Vilnius, 2 nd

378 views • 25 slides
FluxBuster Early Detec+on of Malicious Flux Networks via

FluxBuster Early Detec+on of Malicious Flux Networks via

FluxBuster Early Detec+on of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis Roberto Perdisci S ecurity N etwork University of Georgia I ntelligence

530 views • 15 slides
Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di Mauro, S. Manconi, F . Donato arXiv:1903.05647, subm. PRD and arXiv:1908.03216 Fiorenza Donato Torino University and INFN TAUP 2019 - Toyama,

387 views • 15 slides
Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What

Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What

Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What is Flux Correction? Coupled with Fully coupled Uncoupled flux correction Pros: Fast, cheap and easy to apply; Mean state bias can be significant

499 views • 19 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GAARDIAN GNSS AVAILABILITY ACCURACY RELIABILITY anD GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation A Technology Strategy Board funded collaboration Charles Curry, B.Eng, FIET MD

513 views • 25 slides
THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the

THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the

1 THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the KM3NeT collaboration INFN - LNS Catania (Italy) KM3NeT 2 KM3NeT is a distributed research infrastructure in the Mediterranean Sea hosting

257 views • 13 slides
Recap from Monday Visualizing Networks Caffe overview Slides are now online Today

Recap from Monday Visualizing Networks Caffe overview Slides are now online Today

Recap from Monday Visualizing Networks Caffe overview Slides are now online Today Edges and Regions, GPB Fast Edge Detection Using Structured Forests Zhihao Li Holistically-Nested Edge Detection Yuxin Wu

1k views • 44 slides
Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle

Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle

Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle beams V.Monaco (Universit di Torino and INFN, Italy) Z.Amadi, R.Arcidiacono, A.Attili, N.Cartiglia, M.Donetti, F.Fausti, M.Ferrero, S.Giordanengo, O.

559 views • 25 slides
Financial Results Presentation Q3 FY14: Quarter ended 31 December 2013 13 February 2014 Chua

Financial Results Presentation Q3 FY14: Quarter ended 31 December 2013 13 February 2014 Chua

Financial Results Presentation Q3 FY14: Quarter ended 31 December 2013 13 February 2014 Chua Sock Koong Group CEO 1 Forward looking statement important note The following presentation contains forward looking statements by the management

484 views • 29 slides
Link properties advertisement from modem to router

Link properties advertisement from modem to router

Link properties advertisement from modem to router draft-wood-dna-link-properties-advertisement-01 Lloyd Wood, Rajiv Asati and Daniel Floreani Cisco Systems Detecting Network Attachments session IETF 72, Dublin, July 2008. Contents Contents

500 views • 11 slides
Legal Issues about Metadata: Data Privacy vs Information Security Manuel Munier 1 V. Lalanne 1

Legal Issues about Metadata: Data Privacy vs Information Security Manuel Munier 1 V. Lalanne 1

Legal Issues about Metadata: Data Privacy vs Information Security Manuel Munier 1 V. Lalanne 1 P.Y. Ardoy 2 M. Ricarde 3 1 LIUPPA Universit e de Pau et des Pays de lAdour Mont de Marsan, France (IT security) 2 CRAJ Universit e de Pau

521 views • 34 slides
Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

785 views • 31 slides
Product update Broadband Products 1. ACN ADSL Need to know 2. ACN Naked DSL 3. ACN ADSL

Product update Broadband Products 1. ACN ADSL Need to know 2. ACN Naked DSL 3. ACN ADSL

Product update Broadband Products 1. ACN ADSL Need to know 2. ACN Naked DSL 3. ACN ADSL Bundle (with traditional Regional and metro areas phone line) ACN Naked DSL Bundle Envision 4. Set expectations around the end-to-

702 views • 34 slides
From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th

From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th

From a Client-Server based e-health Platform to a Pervasive Solution TELEFNICA I+D Date: 4 th of September 2007 Index 01 Seguitel: an eHealth Platform 02 Transformation to a Pervasive Service provisioning platform 03 Use of the Plastic

417 views • 15 slides
CPS 214: Computer Networks CPS 214: Computer Networks Slides by Adolfo Rodriguez Paper

CPS 214: Computer Networks CPS 214: Computer Networks Slides by Adolfo Rodriguez Paper

CPS 214: Computer Networks CPS 214: Computer Networks Slides by Adolfo Rodriguez Paper Evaluations Paper Evaluations 1 page maximum evaluation of reading for each class Evaluations submitted in advance of class from course Web page

582 views • 23 slides
P rt t

P rt t

P rt t t t s rs rs

970 views • 52 slides

More recommend