Passive DNS Michael Mitterer October 13, 2017 Chair of Network - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Passive DNS

Michael Mitterer

October 13, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Background

DNS

The DNS query process

• M. Mitterer — pDNS

2

Background

DNS Resource Record

DNS answer querying microsoft.com.

• M. Mitterer — pDNS

3

Background

Passive DNS

The Passive DNS attempts

• M. Mitterer — pDNS

4

Outline

Usage of Passive DNS

Finding Malicious Domains Enhance Functionality and Availability Monitoring DNS Spying Users

• M. Mitterer — pDNS

5

Finding Malicious Domains

Fast-Flux Domains

• Domains of Fast-Flux networks
• Provides

malicious services/phishing networks

• Set of IP addresses changes

The structure of a Fast-Flux network

• M. Mitterer — pDNS

6

Finding Malicious Domains

Detection via Passive DNS

Use of Passive DNS to detect Fast-Flux domains

⇒ Big amount of DNS traffic

• M. Mitterer — pDNS

7

Finding Malicious Domains

Basic tool structure using the example of FluxBuster

Structure of FluxBuster

Basic structure:

• Capture DNS traffic passively
• Filter traffic
• Cluster domains
• Classify clusters

Advantages [3]: → 64.5% of malicious domains were detected earlier than using other methods → 62% of flux agent IPs were previously unknown

• M. Mitterer — pDNS

8

Finding Malicious Domains

Fast Flux Monitor

Architecture of Fast Flux Monitor

Aim: → Decide whether a given domain is a Fast-Flux domain Advantages: → Detection rate of 96.6% [2]

• M. Mitterer — pDNS

9

Finding Malicious Domains

EXPOSURE Aim: → Finding different kinds of malicious domains “in the wild” Scientific contribution [1]: → Experiment run from December 28, 2010 over 17 months → Early detection of malicious domains (>50% only detected by EXPOSURE) → Identified 200 new malicious domains per day → Most malicious domains belonged to .info, .org, or .biz TLDs → Most malicious domains were hosted in US, Germany, or South Korea

• M. Mitterer — pDNS

10

Enhance Functionality and Availability

Improving DNS

• Enhance Availability
• Monitoring DNS
• M. Mitterer — pDNS

11

Enhance Functionality and Availability

Enhance Availability

Passive DNS Replication

Disadvantages: → Long time until all records are replicated → Inconsistency

• M. Mitterer — pDNS

12

Enhance Functionality and Availability

Monitoring DNS

Monitor DNS usage

• M. Mitterer — pDNS

13

Spying Users

Privacy Problems - EDNS

Transmitted information with EDNS

• M. Mitterer — pDNS

14

Spying Users

Privacy Problems - QNAME minimization

Transmitted information using QNAME minimization

• M. Mitterer — pDNS

15

Spying Users

Solutions DNSSEC: Not encrypted ⇒ Traffic readable ⇒ Traffic has to be encrypted:

• DNSCrypt
• DNS Privacy Project
• DNS over TLS
• M. Mitterer — pDNS

16

Conclusion

Conclusion Passive DNS...

• ... can make the Internet more secure
• ... improves DNS
• ... leads to huge privacy issues
• M. Mitterer — pDNS

17

Questions?

Questions?

• M. Mitterer — pDNS

18

Backup

Privacy Problems

Extract of a DNS query requesting in.tum.de

• M. Mitterer — pDNS

19

Bibliography

[1]

• L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel.

Exposure: a Passive DNS Analysis Service to Detect and Report Malicious Domains. ACM Transactions on Information and System Security, 16(4):14:1–14:28, Apr. 2014. [2]

• A. Caglayan, M. Toothaker, D. Drapeau, D. Burke, and G. Eaton.

Real-Time Detection of Fast Flux Service Networks. In Conference for Homeland Security, 2009. CATCH’09. Cybersecurity Applications & Technology, pages 285–292. IEEE, 2009. [3]

• R. Perdisci, I. Corona, and G. Giacinto.

Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. IEEE Transactions on Dependable and Secure Computing, 9(5):714–726, 2012.

• M. Mitterer — pDNS

20