Host profiling based on remote measurements Robert Kulzer Advisor: - - PowerPoint PPT Presentation

Host profiling based on remote measurements

Robert Kulzer Advisor: Ralph Holz Master Thesis

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

January 9, 2013

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 1

Motivation

Flaws in modern day Web security environment Gutmann example: Browser PKI Dubious domain having a valid SSL certificate

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 2

Motivation

Diversification of defense mechanisms Use a set of characteristics to classify a host → Can a “Risk-Assessment” based approach help to deduce a domain’s trustworthiness?

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 3

Motivation

Safe Unsafe C e r t i f i c a t e i s v a l i d R i s k

• A

s s e s s m e n t

AS information Geographic location Domain registration information Network configuration Domain name system

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 4

Goals

Goals Scanner framework Data collection Unveil distinctive characteristics for known sets of domains

Temporal Current snapshot

Scanners Autonomous Systems Geographic location Whois registration information Network configuration Domain name system

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 5

Approach

Use distinctive sets of domains

utp7.com 96897.com finitysoft.com isellcc.net m77s.cn bjahqeb.info t5track.com ... urinoor.com wenmo.in allspade.ru asfirey.net directsupershop.com drugfreecard.info esntionlatino.com ... crape.fi scentsy.com critictoo.com firepits.com vbulletin-tr.com pigeon.cn detikmaya.com ... tumblr.com mail.ru apple.com pinterest.com craigslist.org bbc.co.uk ask.com ...

AlDL DeAlDL RandAlDL RecMDL RandMDL

idealo.de dhl.de zeit.de kicker.de wetteronline.de transfermarkt.de n-tv.de ...

Name Origin Description Amount of domains AlDL Alexa Top sites Worldwide 1,000 DeAlDL German 1,000 RandAlDL Random pick 1,000 RandMDL DNS blackhole project Random pick 1,000 RecMDL Current month 9,000

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 6

Approach

Define time intervals for scan runs

Time between scans does not exceed 10 days Use all scanners in each scan run Two scan series

Scan 1 Scan 2 Scan 3 Scan 4 Scan 5 Evaluation series

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 7

Approach

Global configuration parameters Scanner

S c a n X id host_id nserver

Create tables and functions

NMAP log INFO: 0007.ru INFO: 0317.com INFO: 0439.com INFO: 0457.com

Domain handler ASN scanner GeoIP scanner NMAP scanner Whois scanner DNS scanner Individual domain and ip address feed Launch process

GeoIP log INFO: foobar.ru INFO: 0317.dk INFO: 0s9.co.kr INFO: se57.pt ASN log INFO: baz.org INFO: 117.es INFO: sdf9.com INFO: fsdfg.mx WHOIS log INFO: bgsa.de INFO: 0651.net INFO: 0129.sk INFO: 0413.hk DNS log INFO: fttw4.to INFO: 7621.hu INFO: df439.ch INFO: esd3.nl

Read configuration S t a r t s c a n n e r s 1 2 3 4 Creating database schema

id host_id addr ttl

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 8

Evaluation - Autonomous Systems

Which set of domains shows frequent alterations in the ASN configuration?

2 4 6 8 10 12 A l D L D e A l D L R a n d A l D L R a n d M D L R e c M D L Percentage of domains where an ASN change occured Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 9

Evaluation - Geographic location

Which domain lists can be affiliated with a set of countries?

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 10

Evaluation - Geographic location

In which domain lists do relocations occur more often?

1 2 3 4 5 6 7 8 9 A l D L D e A l D L R a n d A l D L R a n d M D L R e c M D L Percentage of hosts where country changes occured Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 11

Evaluation - Whois registration information

Which set of domains is registered for a shorter time? Domain list Average Q0.5 AlDL 181.75 182.63 RandAlDL 84.50 73.03 RandMDL 41.25 24.37 RecMDL 44.00 24.37

(in months)

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 12

Evaluation - Network configuration

Which set of domains has on average more open ports?

0.5 1 1.5 2 2.5 3 A l D L D e A l D L R a n d A l D L R a n d M D L R e c M D L Open ports on a domain Quantiles Q-0.3 Q-0.5

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 13

Evaluation - Domain name system

Which group of domains changes their TTL configuration frequently?

1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2 A CNAME MX NS SOA TXT Ratio (TTL changes / domain) Resource records AlDL DeAlDL RandAlDL RandMDL RecMDL

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 14

Evaluation - Domain name system

Is the use of Google’s SPF an indication for a group of domains? Append anti-spoofing entry to TXT resource records Spam prevention with SPF (Sender Policy Framework)

v=spf1 +all v=spf1 mx ip4:77.232.64.0/19 +all

Google Apps to create SPF entries

google-site-verification=mWlqvcJ4Jx0oKel6...

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 15

Evaluation - Domain name system

Is the use of Google’s SPF an indication for a group of domains?

4 6 8 10 12 14 16 18 scan1 scan2 scan3 scan4 scan5 Percentage of domains using Google for SPF AlDL DeAlDL RandAlDL RandMDL RecMDL

Safe Unsafe

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 16

Dead ends (?)

ASN Multiple AS Not distinctive Popular AS Not distinctive GeoIP Undetermined locations Insignificant Whois Changes to update field Not distinctive Changes to name servers Fluctuating behaviour Nmap OS similarities Imprecise data Frequent state changes Insignificant DNS Low TTLs Not distinctive Subset of RRs Not distinctive

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 17

Dead ends (?)

ASN Multiple AS Not distinctive Popular AS Not distinctive GeoIP Undetermined locations Insignificant Whois Changes to update field Not distinctive Changes to name servers Fluctuating behaviour Nmap OS similarities Imprecise data Frequent state changes Insignificant DNS Low TTLs Not distinctive Subset of RRs Not distinctive

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 18

Dead ends (?)

ASN Multiple AS Not distinctive Popular AS Not distinctive GeoIP Undetermined locations Insignificant Whois Changes to update field Not distinctive Changes to name servers Fluctuating behaviour Nmap OS similarities Imprecise data Frequent state changes Insignificant DNS Low TTLs Not distinctive Subset of RRs Not distinctive

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 19

Dead ends (?)

ASN Multiple AS Not distinctive Popular AS Not distinctive GeoIP Undetermined locations Insignificant Whois Changes to update field Not distinctive Changes to name servers Fluctuating behaviour Nmap OS similarities Imprecise data Frequent state changes Insignificant DNS Low TTLs Not distinctive Subset of RRs Not distinctive

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 20

Dead ends (?)

ASN Multiple AS Not distinctive Popular AS Not distinctive GeoIP Undetermined locations Insignificant Whois Changes to update field Not distinctive Changes to name servers Fluctuating behaviour Nmap OS similarities Imprecise data Frequent state changes Insignificant DNS Low TTLs Not distinctive Subset of RRs Not distinctive

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 21

Results from related work

ASN Very little clusters of AS for malicious domains exist (Kalafut et al.) Majority of AS are each linked to less than one percent of the domains DNS Passive DNS analysis reveals low TTL values for malicious domains (Bilge et al.) Other characteristics are consistent with this work

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 22

Conclusion

Results ASN alterations Domain registration time DNS record configuration Summary Good indicators are few No single characteristic is sufficient Future work Evaluation over a longer period of time Correlate the characteristics

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 23

Thank you for your attention. Are there any questions?

Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 24