further aspects of passive dns
play

Further Aspects of Passive DNS Datamining, visualization and - PowerPoint PPT Presentation

Jan 26, 2024 •169 likes •435 views

Further Aspects of Passive DNS Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu), L. Aaron Kaplan (CERT.at), David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

  1. Further Aspects of Passive DNS Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu), L. Aaron Kaplan (CERT.at), David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

  2. Disclaimer • Passive DNS is a technique to collect only valid answers from authoritative or caching nameservers • By its design, privacy is preserved (e.g. no source IP addresses from resolvers are captured 1 ) • DNS data collected is only publicly known DNS data • The research is done in the sole purpose to detect malicious IP/domains or content to better protect users • Passive DNS implementations are subject to local rules 1 Except if an application abuses DNS answers to track back their users. 2 of 26

  3. “Passive DNS is to DNS ops as NetFlow is to net ops.” John Kristoff 3 of 26

  4. Passive DNS - how it works 4 of 26

  5. What’s the purpose? Some examples... 5 of 26

  6. Detection of shared compromised web hosting - the enisa.eu case • Regularly malicious links are posted on compromised systems • What are the other services or domains hosted on the same A/AAAA record? • What happens to ”infected” redirect (because the web hosting server is infected)? • How Passive DNS can help? 6 of 26

  7. EG (Egypt being offline) • Discover non resolvable domains using nameserver in Egypt • Interesting discovery randomstring .medicpills.ru ( → less spam?) • BIT.LY case is similar (when Libya was offline) • Passive DNS helps to find interdependecies among services 7 of 26

  8. Malware infection • History of a domain name in conjunction with Netflow records • Find shorted lived domain names • Get back the A/AAAA records • and find infected PCs in your Netflow. • Quick win! 8 of 26

  9. Passive DNS implementations • CERT.lv passive dns • BFK (F. Weimer a ) passive dns • ISC DNSDB a • CIRCL pdns-toolkit b • The University of • CERT.at passive dns c Auckland DNS History • CERT.ee passive dns Database Project (DHDB) a Presented at FIRST 2005 • Team Cymru passive dns b github.com/adulau/pdns-toolkit/ c access upon request a https://dnsdb.isc.org/ 9 of 26

  10. Passive DNS design comparison - an ecosystem CIRCL pdns-toolkit CERT.at passive dns datastore Redis PostgreSQL + memcached storage memory hybrid exhaustive - + space efficient ++ + input pcap, dnscap output nmsg open source yes ask 10 of 26

  11. Some statistics from the CERT.at Passive DNS. . . 11 of 26

  12. Storing Passive DNS - CIRCL.lu perspective • Implementing the storage of a Passive DNS can be challenging • Starting from standard RDBMS and then moved to a key-value store • We learned to hate 2 hard disk drive and to love random access memory • Loving memory is great especially when it’s now cheap and addressable in 64bits 2 exception → only used for data store snapshot 12 of 26

  13. Passive DNS + Ranked domains - Where visualization can help • Now, we have 50 millions lines of ranked hostname... ... www.stopacta.info. www.vista-care.com. breadworld.com. o-o.resolver.A.B.C.D.5xevqnwsds5zdq34.metricz.\ l.google.com. www.thechinagarden.com. smtp10.dti.ne.jp. ... 13 of 26

  14. Why visualization? • Understand big data • Find stuff we cannot guess 14 of 26

  15. Choosing Parallel Coordinates • Display as much dimensions wanted (yes, as many ) • Display as much data wanted (I mean it!) 15 of 26

  16. Interesting patterns 16 of 26

  17. Picvizing a CIRCL passive DNS dataset 17 of 26

  18. Picviz with subdomains split 18 of 26

  19. Reward: highest is youtube 19 of 26

  20. Subdomain entropy Only one sub-domain has an entropy 3 > 4.8 3 Shannon entropy 20 of 26

  21. Subdomain entropy Only one sub-domain has an entropy 4 > 4.8 4 Shannon entropy 21 of 26

  22. Scatter plot - finding outliers 22 of 26

  23. Scatter plot - finding outliers - covert channel? 030066363663643937306531[..].36393764313333653763.lbl8.mailshell.net t10000.u1318235395163.s203679668[..]-1329.zv6lit-null.zrdtd-1311.zr6td- null.results.potaroo.net 03003064303831663965386[..].64306561343837346533.lbl8.mailshell.net 23 of 26

  24. Searching for Zeus Using the broad Polish CERT regex [a-z0-9]{32,48}\.(ru|com|biz|info|org|net) • We get some cool domains: ◦ cg79wo20kl92doowfn01oqpo9mdieowv5tyj.com ◦ eef795a4eddaf1e7bd79212acc9dde16.net • but more important we got a visualization profile to find outliers not matching the regexp 24 of 26

  25. Conclusion • Passive DNS is an infinite source of security data mining • A team of passive DNS is at your services, contact us! • (adequate) Visualization is an appropriate way to discover unknown malicious or suspicious services • This finally helps CSIRTs to act earlier on the incidents • Common output format for different implementations (work in progress) 25 of 26

  26. Q&A • alexandre.dulaunoy@circl.lu • sebastien@honeynet.org • kaplan@cert.at • david.durvaux@cert.be • jtk@cymru.com 26 of 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H.

A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H.

Technical Aspects of Multimodal System Dept. Informatics, Faculty of Mathematics, Informatics and Natural Sciences University of Hamburg A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H. Zhang,

408 views • 16 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

650 views • 33 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions: blame-shifting scientific writing Acquisition Active Voice: the subject performs the action of the verb Example: The dog attacked my neighbor.

595 views • 21 slides
How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero Diffusivity Limit) Yue-Kin Tsang Courant Institute of Mathematical Sciences New York University Thomas M. Antonsen, Jr. and Edward Ott University

381 views • 24 slides
Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil Article Geo Expo Article AAGP Explorer Article Basic Equipment Gear and ATV Seismometer Data Recorder Monitor Hookup Problems Problems Wind

733 views • 42 slides
1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

Introduction Impact of Link Failures on VoIP Performance Tier-1 ISPs interested in providing Voice- Over-IP (VoIP) Need to provide quality International Workshop on Network and Operating Voice quality and availability System

394 views • 6 slides
Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith, instructor Passive Verbs Avoid excessive use of passive verbs. They can bog down descriptive writing and create boring sentences. (See Bedford p 142.)

202 views • 5 slides
PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE

PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE

PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE 98 affordable family units Opening April 1 2020 Surge in Interest in Passive House in MA Fall 2018: Mass CEC Passive House Design Incentives

626 views • 20 slides
Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ

Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ

Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ Assessment of Bioavailability situ Assessment of Bioavailability In Danny D. Reible, PhD, PE, DEE, NAE University of Texas Linking Sediment Exposure and

543 views • 23 slides
Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety

Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety

The Heart of Passive Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety and Our Naming Problem With ~15 years and many millions of these hearts of passive safety in existence, we still

269 views • 11 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Two Character Country Codes at the Second Level in New gTLDs Laurent Ferrali June 2019 | 1

Two Character Country Codes at the Second Level in New gTLDs Laurent Ferrali June 2019 | 1

Two Character Country Codes at the Second Level in New gTLDs Laurent Ferrali June 2019 | 1 Setting the Scene | 2 | 2 Framework of the GAC Discussion 1 Specification 5, Section 2 of the Draft new gTLD Registry Agreement (part of the New

675 views • 16 slides
Soft local times Serguei Popov, Augusto Teixeira Serguei Popov, Augusto Teixeira Soft local

Soft local times Serguei Popov, Augusto Teixeira Serguei Popov, Augusto Teixeira Soft local

Soft local times Serguei Popov, Augusto Teixeira Serguei Popov, Augusto Teixeira Soft local times we describe a method for simulating an adapted stochastic process on a general space by means of a Poisson point process on R + ;

325 views • 8 slides
Lifestyle risks and harmonisa2on of na2onal laws Frederic

Lifestyle risks and harmonisa2on of na2onal laws Frederic

Lifestyle risks and harmonisa2on of na2onal laws Frederic Geber, LL.M. Saarland University, Saarbrcken Agenda 1. Harmonisa2on What is it? 2. Competences

291 views • 8 slides
Sc Scru rumMaster mMaster ro role le So much more than you think it is! Gathering Activity

Sc Scru rumMaster mMaster ro role le So much more than you think it is! Gathering Activity

Sc Scru rumMaster mMaster ro role le So much more than you think it is! Gathering Activity : Please grab a sharpie and Post-It pad and contribute to the charts on the left wall 2018, Agile for All Steve Spearman Certified Scrum

327 views • 30 slides
rohc Robust Header Compression 50th IETF March 2001 Minneapolis Chairs: Carsten Bormann

rohc Robust Header Compression 50th IETF March 2001 Minneapolis Chairs: Carsten Bormann

rohc Robust Header Compression 50th IETF March 2001 Minneapolis Chairs: Carsten Bormann <cabo@tzi.org> Mikael Degermark <micke@cs.arizona.edu> Mailing List: rohc@cdt.luth.se Digitale Medien und Netze 1 50 th IETF: Agenda (from

552 views • 30 slides
Socially optimal allocation of ATM resources via truthful market-based mechanisms Tobias

Socially optimal allocation of ATM resources via truthful market-based mechanisms Tobias

Socially optimal allocation of ATM resources via truthful market-based mechanisms Tobias Andersson Granberg Valentin Polishchuk Market mechanism Resource 1 User 1 Resource 2 Payment 1 Bid 1 O w n e r Resource 2 Resource n User

940 views • 31 slides
Jeffrey D. Ullman Stanford University The entity-resolution problem is to examine a

Jeffrey D. Ullman Stanford University The entity-resolution problem is to examine a

Jeffrey D. Ullman Stanford University The entity-resolution problem is to examine a collection of records and determine which refer to the same entity. Entities could be people, events, etc. Typically, we want to merge records if

821 views • 56 slides
Building Web Applications with Protg Csongor Nyulas, Tania Tudorache Stanford University 11

Building Web Applications with Protg Csongor Nyulas, Tania Tudorache Stanford University 11

Building Web Applications with Protg Csongor Nyulas, Tania Tudorache Stanford University 11 th Protg Conference, Amsterdam, The Netherlands July 23-27, 2009 Web Applications Are Flourishing Everything is going web! Software

610 views • 16 slides

More recommend