Chair of Network Architectures and Services Department of Informatics Technical University of Munich Passive DNS Michael Mitterer October 13, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich
Background DNS The DNS query process M. Mitterer — pDNS 2
Background DNS Resource Record DNS answer querying microsoft.com. M. Mitterer — pDNS 3
Background Passive DNS The Passive DNS attempts M. Mitterer — pDNS 4
Outline Usage of Passive DNS Finding Malicious Domains Enhance Functionality and Availability Monitoring DNS Spying Users M. Mitterer — pDNS 5
Finding Malicious Domains Fast-Flux Domains • Domains of Fast-Flux networks • Provides malicious services/phishing networks • Set of IP addresses changes The structure of a Fast-Flux network M. Mitterer — pDNS 6
Finding Malicious Domains Detection via Passive DNS Use of Passive DNS to detect Fast-Flux domains ⇒ Big amount of DNS traffic M. Mitterer — pDNS 7
Finding Malicious Domains Basic tool structure using the example of FluxBuster Structure of FluxBuster Basic structure: • Capture DNS traffic passively • Filter traffic • Cluster domains • Classify clusters Advantages [3]: → 64.5% of malicious domains were detected earlier than using other methods → 62% of flux agent IPs were previously unknown M. Mitterer — pDNS 8
Finding Malicious Domains Fast Flux Monitor Architecture of Fast Flux Monitor Aim: → Decide whether a given domain is a Fast-Flux domain Advantages: → Detection rate of 96.6% [2] M. Mitterer — pDNS 9
Finding Malicious Domains EXPOSURE Aim: → Finding different kinds of malicious domains “in the wild” Scientific contribution [1]: → Experiment run from December 28, 2010 over 17 months → Early detection of malicious domains (>50% only detected by EXPOSURE) → Identified 200 new malicious domains per day → Most malicious domains belonged to .info, .org, or .biz TLDs → Most malicious domains were hosted in US, Germany, or South Korea M. Mitterer — pDNS 10
Enhance Functionality and Availability Improving DNS • Enhance Availability • Monitoring DNS M. Mitterer — pDNS 11
Enhance Functionality and Availability Enhance Availability Passive DNS Replication Disadvantages: → Long time until all records are replicated → Inconsistency M. Mitterer — pDNS 12
Enhance Functionality and Availability Monitoring DNS Monitor DNS usage M. Mitterer — pDNS 13
Spying Users Privacy Problems - EDNS Transmitted information with EDNS M. Mitterer — pDNS 14
Spying Users Privacy Problems - QNAME minimization Transmitted information using QNAME minimization M. Mitterer — pDNS 15
Spying Users Solutions DNSSEC: Not encrypted � ⇒ Traffic readable ⇒ Traffic has to be encrypted: • DNSCrypt • DNS Privacy Project • DNS over TLS M. Mitterer — pDNS 16
Conclusion Conclusion Passive DNS... • ... can make the Internet more secure • ... improves DNS • ... leads to huge privacy issues M. Mitterer — pDNS 17
Questions? Questions? M. Mitterer — pDNS 18
Backup Privacy Problems Extract of a DNS query requesting in.tum.de M. Mitterer — pDNS 19
Bibliography [1] L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel. Exposure: a Passive DNS Analysis Service to Detect and Report Malicious Domains. ACM Transactions on Information and System Security , 16(4):14:1–14:28, Apr. 2014. [2] A. Caglayan, M. Toothaker, D. Drapeau, D. Burke, and G. Eaton. Real-Time Detection of Fast Flux Service Networks. In Conference for Homeland Security, 2009. CATCH’09. Cybersecurity Applications & Technology , pages 285–292. IEEE, 2009. [3] R. Perdisci, I. Corona, and G. Giacinto. Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. IEEE Transactions on Dependable and Secure Computing , 9(5):714–726, 2012. M. Mitterer — pDNS 20
Recommend
More recommend