multivariate solutions to emerging passive dns challenges
play

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul - PowerPoint PPT Presentation

Jan 21, 2024 •477 likes •962 views

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

  1. Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1

  2. Agenda • Introduction • Passive DNS, Including Times When Passive DNS May Not Work Well • Overcoming Obfuscation • Pillz Spam Example • Brand Protection/Knock Off Jerseys Example Scheduled Controlled Substances • Working A Kelihos Botnet-Related Spam Example • Multivariate Solutions • Conclusion 2

  3. I. Introduction: Passive DNS, Including Times When Passive DNS May Not Work Well 3

  4. How Passive DNS Normally Works... [From the POV of a security analyst] • Start with a known/observed "bad data point"  Domain name  Nameserver  IP address/CIDR  ASN (  CIDRs) • Use Passive DNS to find other IPs or domain names that share the same resources as our evil clue • Leverage reputation locality ("guilt by association"), but carefully review what you've found 4

  5. UNIvariate Approaches • Use a single point of commonality as a way to identify related domains... • Same exact IP? • Same exact nameserver? • Same exact domain name used over time (if you're interested in the set of IPs that a name's been using) • Each relies on a single attribute, exactly matched . 5

  6. Simple pDNS Works GREAT When... • Lots of related domains coexist on a single IP (or small CIDR block), with no innocent 3 rd party domains • Many related domains use the same set of dedicated name servers , with no innocent 3 rd party domains • The bad guy is apparently stubbornly fond of a favorite domain, despite being kicked off provider after provider after provider 6

  7. Times When Simple pDNS Doesn't Work • ZERO interrelated data points – e.g., "lone wolf" domain names, IP addresses, name servers, etc. • TOO many related resources • Related bad guy resources are comingled inextricably with innocent 3 rd party resources. • Bad Guy “Hit and run" scenarios 7

  8. Lone Wolf Scenario The cybercriminal reuses NOTHING across sites • Every IP address used to send spam or host content is totally unrelated to any other IPs the criminal uses • Every domain name is registered using: • A diverse assortment of registrars, one or two at a time • Using unique name servers (installed and operating on unique IPs) • Unique/fictitious (or concealed) POC details • Unique (or anonymous) payment details • Each site uses: • different brand names • different images • different written text • different payment processors, etc. 8

  9. Poorly Documented Resource Assignments • Example #1: Provider fails to document IP reassignments/reallocations in IP Whois or rWhois, and an abuser repeatedly moves (or is moved) around a single large network block, or among multiple smaller blocks. • Example #2: Whois POC details are concealed by a Whois proxy/privacy service 9

  10. II. Overcoming Obfuscation 10

  11. Work Around It, Or Strip It Entirely • Look for other characteristics that may not be obfuscated, or seek to strip away anonymity. • For example: • If nameservers service a large number of domains, and thus are not a useful attribute to try to follow, look at the IP address(es) the bad domain is hosted on, instead. • If a domain is demonstrably engaged in phishing or other clearly illegal behavior, some privacy/proxy protection services have terms of service which allow the provider to unilaterally strip privacy protections. 11

  12. Strategies For Overcoming Reverse Proxies • With Reverse Proxies, everything seems to "live on the reverse proxy's IP addresses” • Carefully scrutinize non-A/non-AAAA DNS records that may be present (e.g., MX, TXT, etc.) • Reverse proxy operators are also potentially a terrific target by law enforcement 12

  13. Bad Guys Deobfuscate Good Guys, Too • " Performance Marketing" URLs are encoded URLs, unique to each specific recipient • Because each URL is unique to each recipient, visiting the URL (typically to investigate the site being spamvertised) means: • Confirming you've opened the message and clicked through (establishing a potential argument that you've "opted-in") • May result in you "using-up" a URL coded for one-time-use (try the same URL a 2nd or 3 rd time? It may go nowhere) • Forwarding "sanitized" spamples in complaints may yield URLs that simply don't work, or which work "misleadingly." • Forwarding "raw spamples in complaints "outs" your spam collection infrastructure and may result in "list washing." 13

  14. II-a. Overcoming Obfuscation: Pillz Spam Example Demonstrates Use of Historical Passive DNS Data to Overcome Reverse Proxy Usage 14

  15. An Anti-Spam Example: Pillz 15

  16. Using Pre-"Reverse-Proxy-fication" Data $ dnsdb_query.py -r pillstoronto.net/a ;; bailiwick: pillstoronto.net. ;; count: 548 ;; first seen: 2015-06-07 12:57:11 -0000 ;; last seen: 2016-01-19 00:46:36 -0000  Cloudflare now pillstoronto.net. IN A 104.24.126.91  Cloudflare now pillstoronto.net. IN A 104.24.127.91 [BUT, EARLIER, WE'D SEEN...] ;; bailiwick: pillstoronto.net. ;; count: 5,568 ;; first seen: 2012-09-03 19:53:45 -0000 ;; last seen: 2013-09-11 19:41:57 -0000  NOT Cloudflare pillstoronto.net. IN A 188.72.228.107 ;; bailiwick: pillstoronto.net. ;; count: 4,965 ;; first seen: 2013-09-11 21:22:24 -0000 ;; last seen: 2015-06-07 09:08:03 -0000  NOT Cloudflare pillstoronto.net. IN A 80.67.3.104 16

  17. The Guys Behind These Guys Go Way Back " EvaPharmacy (previously known as Bulker.biz ) is the organization which sponsors spammers to promote sites within what has previously been referred to as the Yambo Financials group of web properties. These include My Canadian Pharmacy, International Legal RX, Canadian Health&Care Mall, US Drugs, Canadian Family Pharmacy, Canadian Family Pharmacy, Toronto_Drug_Store, RxExpressOnline, RxMedications and others. This was learned from postings on bulkerforum.biz by username "ebulker", who would invite users to promote for their properties. [...] Eva Pharmacy brand websites were first discovered in 2007 loading content from Bulker.biz sites." http://fraud-reports.wikia.com/wiki/EvaPharmacy [emphasis added] 17

  18. II-b. Overcoming Obfuscation: Brand Protection/Knock Off Jerseys Example Illustrate Use of MX Record Info To Overcome Reverse Proxy Usage 18

  19. Context for This Example 19

  20. Is This Really The "Official Store?" 20

  21. Compare Two Domain Whois Entries Domain Name: official49ersjerseys.com Domain Name: nflshop.com [...] [...] Create Date: 2015-09 -03 14:24:36 Updated Date: 2015-07-14T04:00:24-0700 [...] Creation Date: 1999 -02-01T00:00:00-0800 Registrar: SHANGHAI MEICHENG Registrar: MarkMonitor, Inc. TECHNOLOGY INFORMATION [...] DEVELOPMENT CO., LTD. Registrant Name: NFL Enterprises LLC [...] Registrant Organization: NFL Enterprises LLC Registrant Name: shao nian Registrant Street: 345 Park Ave., Registrant Organization: shao nian Registrant City: new york Registrant Street: Shang Hai Shi Qu Registrant State/Province: ny Registrant City: shanghaishi Registrant Postal Code: 10017 Registrant State/Province: shanghai Registrant Country: US Registrant Postal Code: 123123 Registrant Phone: +1.2124502000 Registrant Country: CN [...] Registrant Phone : +86.021 1231231 Registrant Email: dns_admin@nfl.com Registrant Fax: +86.0211231231 [etc] Registrant Email: cj2015tit@126.com [etc] Which of these two domains do YOU think is the real official NFL jersey shop? 21

  22. Following MX Records as DNS Clues $ dig official49ersjerseys.com +short  Hidden behind Cloudflare 104.27.143.198  Hidden behind Cloudflare 104.27.142.198 $ dig official49ersjerseys.com mx +short 0 dc-96d9f219.official49ersjerseys.com. $ dig dc-96d9f219.official49ersjerseys.com +short  NOT hidden behind Cloudflare (Sentris) 107.155.198.200 Do the "regular Passive DNS dance" from that point... $ dnsdb_query -i 107.155.198.200 -p json | jq -r .rrname | 2nd-level-dom | sort -u cheapcustomjerseysonline.com. dallascowboymall.com. dallascowboysmalls.com. [etc] dnsdb_query (c lang)? see https://github.com/dnsdb/dnsdb_c Get jq from https://stedolan.github.io/jq/ 22

  23. [Aside: "2nd-level-dom" is Just a Small Perl Script] #!/usr/bin/perl use strict; use warnings; use IO::Socket::SSL::PublicSuffix; my $pslfile = '/usr/local/etc/effective_tld_names.dat'; my $ps = IO::Socket::SSL::PublicSuffix->from_file($pslfile); my $line; foreach $line (<>) { chomp($line); my $root_domain = $ps->public_suffix($line,1); printf( "%s.\n", $root_domain ); } Get effective_tld_names.dat from https://publicsuffix.org/list/effective_tld_names.dat 23

  24. Got an Email? You Can Follow That, Too 24

  25. II-c. Overcoming Obfuscation: Scheduled Controlled Substances Illustrates Use of TXT Record Info To Overcome Reverse Proxy Usage 25

  26. Anabolic Steroids Are Schedule III http://www.deadiversion.usdoj.gov/schedules/orangebook/c_cs_alpha.pdf 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background

Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background

Four As Model Multivariate Solutions Multivariate Solutions June 2005 June 2005 Background and Objectives To examine four key measures in the study to determine key segments Satisfaction with The Company Would Recommend The

600 views • 11 slides
Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul

Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul

Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul Kabra, Solutions Architect CyberSpace The good, the bad and the ugly Internet is an unsafe neighborhood right in your office space

257 views • 12 slides
PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced

PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced

PRODUCT SOLUTIONS MARKET SOLUTIONS SERVICE SOLUTIONS Innovative and advanced Solutions for existing and Best in class service products to solve tomorrows emerging markets solutions from supply chain power challenges today to

575 views • 35 slides
SMARTERWORKPLACE SOLUTIONS SmarterWorkplace Solutions Challenges SMARTERWORKPLACE SOLUTIONS

SMARTERWORKPLACE SOLUTIONS SmarterWorkplace Solutions Challenges SMARTERWORKPLACE SOLUTIONS

SMARTERWORKPLACE SOLUTIONS SmarterWorkplace Solutions Challenges SMARTERWORKPLACE SOLUTIONS CHALLENGES As routine work continues to decrease, the way tasks are completed and goals are achieved at the workplace is changing. The digital

450 views • 18 slides
Resequencing Calculus: Rationale An Early Multivariate Approach Text Piloting Challenges

Resequencing Calculus: Rationale An Early Multivariate Approach Text Piloting Challenges

Resequencing Calculus: Dwyer and Gruenwald Definition Resequencing Calculus: Rationale An Early Multivariate Approach Text Piloting Challenges David Dwyer and Mark Gruenwald Solutions University of Evansville Further Information January

300 views • 26 slides
Increasing Access and Building Capacity to Ensure Innovative Solutions to Emerging Animal

Increasing Access and Building Capacity to Ensure Innovative Solutions to Emerging Animal

Increasing Access and Building Capacity to Ensure Innovative Solutions to Emerging Animal Well-Being Challenges May 2019 TAKE HOME ME SSAGE S Animal w elfare is a critical component of safe, sustainable, high quality, affordable food

339 views • 11 slides
New Opportunities and Challenges for . www Emerging Fund Managers

New Opportunities and Challenges for . www Emerging Fund Managers

Emerging Asset Management Building Strong Foundations .bm eam New Opportunities and Challenges for . www Emerging Fund Managers 26th F ebruary 2013, New Y ork 1 Emerging Asset Management Building

112 views • 8 slides
Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Outline Multivariate Data 1 Multivariate Parametric Methods Multivariate Normal Distribution 2

Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Multivariate Data Multivariate Normal Distribution Multivariate Classification Multivariate Regression Outline Multivariate Data 1

319 views • 7 slides
PM2.5 NAAQS Modeling PM2.5 NAAQS Modeling Challenges &amp; Possible Solutions

PM2.5 NAAQS Modeling PM2.5 NAAQS Modeling Challenges &amp; Possible Solutions

PM2.5 NAAQS Modeling PM2.5 NAAQS Modeling Challenges &amp; Possible Solutions Challenges &amp; Possible Solutions The 23 rd Annual Conference on the Environment Upper Midwest Section Air &amp; Waste Management Association Earl

799 views • 36 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Corporate Presentation RF, Microwave, and Millimeter Wave Passive Solutions 603-222-2256

Corporate Presentation RF, Microwave, and Millimeter Wave Passive Solutions 603-222-2256

Corporate Presentation RF, Microwave, and Millimeter Wave Passive Solutions 603-222-2256 sales@xmacorp.com www.xmacorp.com facility 2008 Moved into new 2016 AS9100 Certified 2014 MA/Com Acquired Omni Spectra Launched Omni Spectra

456 views • 9 slides
Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
Intelligent Solutions for your Intelligent Solutions for your Business Challenges Business

Intelligent Solutions for your Intelligent Solutions for your Business Challenges Business

Intelligent Solutions for your Intelligent Solutions for your Business Challenges Business Challenges www.silvertouch.com SAP Business One Agenda SAP Business One Features &amp; Success Story SAP Business One Basic Modules Do More

550 views • 33 slides
Due Diligence 101: Private Equity Investing in Emerging Markets The due diligence challenges

Due Diligence 101: Private Equity Investing in Emerging Markets The due diligence challenges

Due Diligence 101: Private Equity Investing in Emerging Markets The due diligence challenges Jonathon Bond, Managing Partner &amp; Adiba Ighodaro, Director Actis Executive Summary - Due Diligence in the Emerging Markets 1. Due diligence in

744 views • 39 slides
Document Management Solution Agenda 1. Introducing Acyutah 2. Existing Process 3. Challenges

Document Management Solution Agenda 1. Introducing Acyutah 2. Existing Process 3. Challenges

Impact of DMS Emerging Challenges &amp; way forward Document Management Solution Agenda 1. Introducing Acyutah 2. Existing Process 3. Challenges &amp; Objectives 4. Ways to Achieve (DMS) 5. Acyutahs Solutions 6. Benefits Acyutah

939 views • 56 slides
Automatic Configuration of Benchmark Sets for Classical Planning Alvaro Torralba, 1 Jendrik Seipp,

Automatic Configuration of Benchmark Sets for Classical Planning Alvaro Torralba, 1 Jendrik Seipp,

The ICAPS Way Benchmark Design Principles Benchmark Configuration Evaluation Conclusion Automatic Configuration of Benchmark Sets for Classical Planning Alvaro Torralba, 1 Jendrik Seipp, 2 Silvan Sievers 2 1 Aalborg University, Denmark 2

1.09k views • 50 slides
Smart Cities: myths and realities Elisabet Viladecans-Marsal

Smart Cities: myths and realities Elisabet Viladecans-Marsal

Smart Cities: myths and realities Elisabet Viladecans-Marsal UB Smart City Chair Barcelona Institute of Economics - Universitat de

561 views • 24 slides
Phone:480- 541-2515 Communication emails or newsletters from me Assignment Book/Planner

Phone:480- 541-2515 Communication emails or newsletters from me Assignment Book/Planner

Email: lgwilliam@kyrene.org Phone:480- 541-2515 Communication emails or newsletters from me Assignment Book/Planner Conferences: Usually end of October and beginning of March, or by appointment at other times Web Site:

786 views • 25 slides
CS 10: Problem solving via Object Oriented Programming Pattern Matching 2 Agenda 1. Pattern

CS 10: Problem solving via Object Oriented Programming Pattern Matching 2 Agenda 1. Pattern

CS 10: Problem solving via Object Oriented Programming Pattern Matching 2 Agenda 1. Pattern matching to validate input Regular expressions Deterministic/Non-Deterministic Finite Automata (DFA/NFA) 2. Finite State Machines (FSM)

927 views • 65 slides
The Evolution of Nuclear Security: From Sites to Summitry 23rd WiN Global Annual Conference:

The Evolution of Nuclear Security: From Sites to Summitry 23rd WiN Global Annual Conference:

The Evolution of Nuclear Security: From Sites to Summitry 23rd WiN Global Annual Conference: Women in Nuclear Meet Atoms for Peace Ms. Corey Hinderstein Senior Coordinator for the Nuclear Security Summit and Nonproliferation Policy Affairs

605 views • 12 slides
Summarization: Overview Ling573 Systems &amp; Applications April 2, 2015 Roadmap

Summarization: Overview Ling573 Systems &amp; Applications April 2, 2015 Roadmap

Summarization: Overview Ling573 Systems &amp; Applications April 2, 2015 Roadmap Deliverable #1 Dimensions of the problem A brief history: Shared tasks &amp; Summarization Architecture of a Summarization system

1.26k views • 91 slides
Project-team OPALE INRIA Sophia-Antipolis Mditerrane and Rhne-Alpes Scientific Themes

Project-team OPALE INRIA Sophia-Antipolis Mditerrane and Rhne-Alpes Scientific Themes

Project-team OPALE Optimization and control, numerical algorithms and integration of complex multidisciplinary systems governed by PDEs Jean-Antoine DESIDERI Project-team OPALE INRIA Sophia-Antipolis Mditerrane and Rhne-Alpes

996 views • 33 slides
Telecom Security - lessons learned (or not)? Personal review on the last 7 years Harald Welte

Telecom Security - lessons learned (or not)? Personal review on the last 7 years Harald Welte

Telecom Security - lessons learned (or not)? Personal review on the last 7 years Harald Welte hardwear.io 2015 Keynote Harald Welte (hardwear.io 2015 Keynote) Telecom Security - lessons learned (or not)? October 2015 1 / 37 About Linux

544 views • 37 slides

More recommend