Further Aspects of Passive DNS Datamining, visualization and - - PowerPoint PPT Presentation

further aspects of passive dns
SMART_READER_LITE
LIVE PREVIEW

Further Aspects of Passive DNS Datamining, visualization and - - PowerPoint PPT Presentation

Jan 26, 2024 169 likes •437 views

Further Aspects of Passive DNS Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu), L. Aaron Kaplan (CERT.at), David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

slide-1
SLIDE 1

Further Aspects of Passive DNS

Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu),

  • L. Aaron Kaplan (CERT.at),

David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

slide-2
SLIDE 2

Disclaimer

  • Passive DNS is a technique to collect only valid answers from

authoritative or caching nameservers

  • By its design, privacy is preserved (e.g. no source IP addresses

from resolvers are captured1)

  • DNS data collected is only publicly known DNS data
  • The research is done in the sole purpose to detect malicious

IP/domains or content to better protect users

  • Passive DNS implementations are subject to local rules

1Except if an application abuses DNS answers to track back their users. 2 of 26

slide-3
SLIDE 3

“Passive DNS is to DNS ops as NetFlow is to net ops.” John Kristoff

3 of 26

slide-4
SLIDE 4

Passive DNS - how it works

4 of 26

slide-5
SLIDE 5

What’s the purpose? Some examples...

5 of 26

slide-6
SLIDE 6

Detection of shared compromised web hosting - the enisa.eu case

  • Regularly malicious links are posted on compromised systems
  • What are the other services or domains hosted on the same

A/AAAA record?

  • What happens to ”infected” redirect (because the web hosting

server is infected)?

  • How Passive DNS can help?

6 of 26

slide-7
SLIDE 7

EG (Egypt being offline)

  • Discover non resolvable domains using nameserver in Egypt
  • Interesting discovery randomstring.medicpills.ru (→ less spam?)
  • BIT.LY case is similar (when Libya was offline)
  • Passive DNS helps to find interdependecies among services

7 of 26

slide-8
SLIDE 8

Malware infection

  • History of a domain name in conjunction with Netflow records
  • Find shorted lived domain names
  • Get back the A/AAAA records
  • and find infected PCs in your Netflow.
  • Quick win!

8 of 26

slide-9
SLIDE 9

Passive DNS implementations

  • BFK (F. Weimera) passive dns
  • CIRCL pdns-toolkitb
  • CERT.at passive dnsc
  • CERT.ee passive dns

aPresented at FIRST 2005 bgithub.com/adulau/pdns-toolkit/ caccess upon request

  • CERT.lv passive dns
  • ISC DNSDBa
  • The University of

Auckland DNS History Database Project (DHDB)

  • Team Cymru passive dns

ahttps://dnsdb.isc.org/ 9 of 26

slide-10
SLIDE 10

Passive DNS design comparison - an ecosystem

CIRCL pdns-toolkit CERT.at passive dns datastore Redis PostgreSQL + memcached storage memory hybrid exhaustive

  • +

space efficient ++ + input pcap, dnscap output nmsg

  • pen source

yes ask

10 of 26

slide-11
SLIDE 11

Some statistics from the CERT.at Passive DNS. . .

11 of 26

slide-12
SLIDE 12

Storing Passive DNS - CIRCL.lu perspective

  • Implementing the storage of a Passive DNS can be challenging
  • Starting from standard RDBMS and then moved to a key-value

store

  • We learned to hate2 hard disk drive and to love random access

memory

  • Loving memory is great especially when it’s now cheap and

addressable in 64bits

2exception → only used for data store snapshot 12 of 26

slide-13
SLIDE 13

Passive DNS + Ranked domains - Where visualization can help

  • Now, we have 50 millions lines of ranked hostname...

... www.stopacta.info. www.vista-care.com. breadworld.com.

  • -o.resolver.A.B.C.D.5xevqnwsds5zdq34.metricz.\

l.google.com. www.thechinagarden.com. smtp10.dti.ne.jp. ...

13 of 26

slide-14
SLIDE 14

Why visualization?

  • Understand big data
  • Find stuff we cannot guess

14 of 26

slide-15
SLIDE 15

Choosing Parallel Coordinates

  • Display as much dimensions wanted (yes, as many)
  • Display as much data wanted (I mean it!)

15 of 26

slide-16
SLIDE 16

Interesting patterns

16 of 26

slide-17
SLIDE 17

Picvizing a CIRCL passive DNS dataset

17 of 26

slide-18
SLIDE 18

Picviz with subdomains split

18 of 26

slide-19
SLIDE 19

Reward: highest is youtube

19 of 26

slide-20
SLIDE 20

Subdomain entropy

Only one sub-domain has an entropy3 >4.8

3Shannon entropy 20 of 26

slide-21
SLIDE 21

Subdomain entropy

Only one sub-domain has an entropy4 >4.8

4Shannon entropy 21 of 26

slide-22
SLIDE 22

Scatter plot - finding outliers

22 of 26

slide-23
SLIDE 23

Scatter plot - finding outliers - covert channel?

030066363663643937306531[..].36393764313333653763.lbl8.mailshell.net t10000.u1318235395163.s203679668[..]-1329.zv6lit-null.zrdtd-1311.zr6td- null.results.potaroo.net 03003064303831663965386[..].64306561343837346533.lbl8.mailshell.net

23 of 26

slide-24
SLIDE 24

Searching for Zeus

Using the broad Polish CERT regex [a-z0-9]{32,48}\.(ru|com|biz|info|org|net)

  • We get some cool domains:
  • cg79wo20kl92doowfn01oqpo9mdieowv5tyj.com
  • eef795a4eddaf1e7bd79212acc9dde16.net
  • but more important we got a visualization profile to find outliers

not matching the regexp

24 of 26

slide-25
SLIDE 25

Conclusion

  • Passive DNS is an infinite source of security data mining
  • A team of passive DNS is at your services, contact us!
  • (adequate) Visualization is an appropriate way to discover

unknown malicious or suspicious services

  • This finally helps CSIRTs to act earlier on the incidents
  • Common output format for different implementations (work in

progress)

25 of 26

slide-26
SLIDE 26

Q&A

  • alexandre.dulaunoy@circl.lu
  • sebastien@honeynet.org
  • kaplan@cert.at
  • david.durvaux@cert.be
  • jtk@cymru.com

26 of 26