passive dns replication
play

Passive DNS Replication Florian Weimer 17 th Annual FIRST - PDF document

Jan 08, 2023 •36 likes •166 views

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and

  1. Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 2 / 25

  2. A very brief introduction to DNS Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 3 / 25 A very brief introduction to DNS DNS as a huge table www.enyo.de IN A 212.9.189.164 static.enyo.de IN A 212.9.189.164 mail.enyo.de IN A 212.9.189.167 enyo.de IN MX 10 mail.enyo.de . . . www.first.org IN A 163.1.2.77 www.first.org IN A 192.25.206.20 www.first.org IN A 210.148.223.8 . . . 164.189.9.212.in-addr.arpa IN PTR www.enyo.de Florian Weimer Passive DNS Replication FIRST 2005 4 / 25

  3. A very brief introduction to DNS DNS summary ◮ You can query only by the primary key, the domain/class/type triple. ◮ Queries on secondary keys can be emulated if the key is encoded in a domain name (as in 164.189.9.212.in-addr.arpa ). ◮ There are no consistency guarantees. ◮ Reverse lookups (based on PTR records) are optional and not reliable: Both www and static point to 212.9.189.164 , but there is only one PTR record. Florian Weimer Passive DNS Replication FIRST 2005 5 / 25 Case Study: Botnet mitigation Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 6 / 25

  4. Case Study: Botnet mitigation An IDS alert ◮ The intrusion detection system detects a botnet command: T 2005/04/21 18:06:33.188392 192.0.2.166:6667 -> 212.9.189.171:1037 :abc!DeFgH@SOME.TLA.GOV TOPIC #l33t :.advscan dcom135 100 5 0 -r.. ◮ 212.9.189.171 is a compromised host on our network. ◮ 192.0.2.166 is the botnet controller. ◮ The captured command instructs 212.9.189.171 to scan for further victims. Florian Weimer Passive DNS Replication FIRST 2005 7 / 25 Case Study: Botnet mitigation Response to the report ◮ Filter 212.9.189.171 , the victim host. ◮ Filter 192.0.2.166 , the botnet controller. ◮ Contact the owner of the 212.9.189.171 machine and force him to clean it. ◮ . . . and hope for the best. ◮ The victims continue to scan the internal network, discovering new victims. ◮ Filtering the botnet controller prevents them from joining the botnet. (???) Florian Weimer Passive DNS Replication FIRST 2005 8 / 25

  5. Case Study: Botnet mitigation Contacting the botnet controller ◮ The bot may contain one or more domain names instead of hard-coded IP addresses. ◮ Each domain can resolve to multiple IP addresses. ◮ Blocking a single IP address often does not prevent hosts from joining the botnet. ◮ If you know the domain name, better filters are possible. ◮ You can adjust the filters when the domain name changes. ◮ You can filter the domain name on your resolvers (in theory). Florian Weimer Passive DNS Replication FIRST 2005 9 / 25 Case Study: Botnet mitigation How to recover domain names from IP addresses ◮ Reverse engineer the bot. ◮ Disassembling needs time and expertise. ◮ And a copy of the malware. ◮ The security team often cannot access the caching resolvers which store a copy of the DNS record. ◮ Zone file transfers do not work, the traditional DNS replication mechanism, do not work. Florian Weimer Passive DNS Replication FIRST 2005 10 / 25

  6. Case Study: Botnet mitigation From domain names to IP addresses ◮ Capture DNS packets and look for the IP address you are interested in. ◮ DNS caches may delay the reappearance of resource records for hours. ◮ Idea: Capture DNS records in advance and store them in a database for later reference. ◮ This leads to “passive DNS replication”. Florian Weimer Passive DNS Replication FIRST 2005 11 / 25 Architecture and implementation Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 12 / 25

  7. Architecture and implementation dnslogger architecture Sensor Sensor dnslogger host Analyzer Collector WHOIS client Database WHOIS server WHOIS client Florian Weimer Passive DNS Replication FIRST 2005 13 / 25 Architecture and implementation Sensor placement www.enyo.de Client DNS Resolver Name Server Sensor ISP 1 ISP 2 Florian Weimer Passive DNS Replication FIRST 2005 14 / 25

  8. Architecture and implementation Challenges ◮ Privacy concerns ◮ Security concerns ◮ Truncated and EDNS0 responses ◮ What about bogus DNS data captured by the sensors? ◮ The data rate itself is fairly low on medium-sized campus networks. ◮ But keeping lots of historic data is problematic. Florian Weimer Passive DNS Replication FIRST 2005 15 / 25 Architecture and implementation dnslogger implementation ◮ Two sensor implementations: ◮ Perl: simple and obviously correct ◮ C: higher performance, fewer dependencies ◮ The remaining parts of the dnslogger software are written in Ada. ◮ Berkeley DB from Sleepycat is used as the underlying database technology. ◮ The schema design is highly denormalized and clustered on reversed domain names. ◮ All database updates are idempotent and commute, which makes replication particularly easy. Florian Weimer Passive DNS Replication FIRST 2005 16 / 25

  9. Results Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 17 / 25 Results Examples ◮ Identify botnet controllers ◮ Track DNS-driven botnets (Blaster) ◮ Correlate domains ◮ Dating DNS anomalies (new or just newly discovered?) Florian Weimer Passive DNS Replication FIRST 2005 18 / 25

  10. Results Example: The kimble.org fiasco First seen Domain Type Data 2004-06-23 13:58:51 kimble.org A 127.0.0.1 2004-08-07 16:14:00 kimble.org A 207.234.155.17 2004-10-20 07:15:58 kimble.org A 212.100.234.54 2004-10-20 16:12:56 kimble.org A 64.203.97.121 2004-10-21 17:15:01 kimble.org A 212.113.74.58 2004-10-21 17:45:01 kimble.org A 195.130.152.100 2004-10-31 14:45:01 kimble.org A 195.225.218.59 2004-11-02 23:15:01 kimble.org A 206.132.83.2 2004-11-04 18:15:01 kimble.org A 213.139.139.206 2004-11-21 03:15:02 kimble.org A 216.7.173.212 2004-11-25 22:45:02 kimble.org A 38.112.165.60 Florian Weimer Passive DNS Replication FIRST 2005 19 / 25 Results Example: Hijacking of ebay.de First seen Domain Type Data 2004-06-23 08:21:57 ebay.de NS crocodile.ebay.com 2004-06-23 08:21:57 ebay.de NS sjc-dns1.ebaydns.com 2004-06-23 08:21:57 ebay.de NS sjc-dns2.ebaydns.com 2004-08-28 05:34:01 ebay.de NS ns1.goracer.de 2004-08-28 05:34:01 ebay.de NS ns2.goracer.de Florian Weimer Passive DNS Replication FIRST 2005 20 / 25

  11. Results Example: Network Solution’s “Site Finder Light” First seen Domain Type Data 2004-09-19 05:01:53 misslink.net CNAME † 2004-09-19 05:57:49 ns.bighornent.com CNAME † 2004-09-19 06:13:44 ns13.magnum-inap4.net CNAME † 2004-09-19 06:24:28 host2.7thgate.com CNAME † 2004-09-19 07:25:26 † www.zydigo.com CNAME 2004-09-19 08:08:33 muslimsonline.com CNAME † 2004-09-19 08:28:26 † www.animatiehuis.com CNAME 2004-09-19 08:57:19 www.urbanvoicesonline.com CNAME † . . . † = resalehost.networksolutions.com Florian Weimer Passive DNS Replication FIRST 2005 21 / 25 Results Example: Correlating domains ◮ An email messages references dkchaotichigh.com (“MegaPowerPills.com”). ◮ An ordinary DNS lookup reveals that ns1.m-dns.us is used as a name server. ◮ Additional domains are hosted on this name server: Domain Type Data outfacegood.com NS ns1.m-dns.us outregood.com NS ns1.m-dns.us megalithgood.com NS ns1.m-dns.us medverdigrisgood.com NS ns1.m-dns.us . . . Florian Weimer Passive DNS Replication FIRST 2005 22 / 25

  12. Results Example: Unauthorized name servers for .com First seen Domain Type Data 2004-06-24 00:52:37 com NS ns1.hi2000.net 2004-06-24 23:04:11 com NS ns1.vertical-inc.net 2004-06-30 23:26:21 com NS tempsvr.wam.wamusa.com 2004-07-01 04:32:18 com NS ns7.domainredirect.com 2004-07-05 04:18:36 com NS ns1.infoglobe.net 2004-07-05 07:35:14 com NS ns1.cntrading.com 2004-07-05 16:40:27 com NS ns1.spacesurfer.com 2004-07-08 00:34:29 com NS ns.tradenames.com . . . Florian Weimer Passive DNS Replication FIRST 2005 23 / 25 Results Observations ◮ DNS usage is very localized and specific to the network in which the sensor is placed. ◮ For many applications, you have to run your own sensor, instead of using data collected on other networks. ◮ But sharing the data with others does not hurt. Florian Weimer Passive DNS Replication FIRST 2005 24 / 25

  13. Summary Summary ◮ Passive DNS replication provides new ways to access and process DNS data. ◮ This data can support various security-related processes. ◮ It also provides new insights into the operation of the domain name system. ◮ Questions? Florian Weimer Passive DNS Replication FIRST 2005 25 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC Passive DNS and ISC DNSDB Sensor collects DNS response packets Packets parsed into DNS records Verification De-duplication Filtering

161 views • 13 slides
Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter

Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter

Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter Steenkiste 2 1 University of Lisbon (Portugal) 2 Carnegie Mellon University (U.S.) IEEE Symposium on Reliable and Distributed Systems, 2015 Outline

807 views • 42 slides
Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain

Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain

Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain name system (abbreviated DNS) provides a distributed database that maps do- main names to record sets (for example, IP addresses). DNS is one of

494 views • 13 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Distributed Systems Lecture 5 1 Replication 15.1 Group Communications 15.2 Fault Services 15.3 Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of read-only data is simple, but replication

726 views • 14 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

247 views • 24 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

688 views • 48 slides
Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5 3 G ACGAT 3 5 3 5 C A A G G T C A C A Issues & Complications, I 1st ~10 nts added are called the primer

420 views • 11 slides
New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

<Insert Picture Here> New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup Mats Kindahl, Lead Developer, Replication & Plugins MySQL User Conference 2010 Topics Replication features in

461 views • 34 slides
Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other DBMS as well Seppo Jaakola Alexey Yurchenko Contents 1.Galera Cluster 2.Replication API 3.Benchmarking 4.Installation & Management

1.04k views • 59 slides
MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars Thalmann Development Manager Replication/Backup Tutorial Outline Terminology and Basic Concepts Basic Replication Replication for

1.46k views • 125 slides
August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

State of Connecticut Criminal Justice Information System Connecticut Information Sharing System (CISS) Technology Workshop 1: Data Replication/ETL August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

535 views • 24 slides
Reasons for Replication Two primary reasons for replication: reliability and performance .

Reasons for Replication Two primary reasons for replication: reliability and performance .

An Introduction to the high- availability and high-consistency problem Ignacio Laguna, Fahad Arshad Dependable Computing Systems Laboratory Purdue University Aug 29, 2007 Reasons for Replication Two primary reasons for replication:

257 views • 8 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge September 23, 2019 1 / 9 Introduction Networks continue to increase bandwidths without achieving much latency reduction. Latency is

496 views • 13 slides
Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

626 views • 26 slides
Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9 Due by Apr 4 th 5:00am Lab 9 Network

349 views • 31 slides
Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Ba Backg kground Servers identity is not well protected with the normal HTTPS connection.

1.04k views • 65 slides
The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names (www.cs.bham.ac.uk) and viceversa Nice properties: distributed, coherent, reliable, autonomous, and hierarchical DNS namespace has tree

180 views • 5 slides
MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS.

MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS.

MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS. Payal Singh, Forrest Crenshaw, Principal Solution Engineer, Product Management Engineer, F5 Networks F5 Networks payal.singh@f5.com

909 views • 26 slides
Hostnames IP Addresses are great for computers CSCE 515: IP address includes information

Hostnames IP Addresses are great for computers CSCE 515: IP address includes information

Hostnames IP Addresses are great for computers CSCE 515: IP address includes information used for routing. Computer Network IP addresses are tough for humans to remember. Programming IP addresses are impossible to guess. ------

219 views • 9 slides
1 Mail access protocols DNS: Domain Name System SMTP SMTP access Domain Name System: People:

1 Mail access protocols DNS: Domain Name System SMTP SMTP access Domain Name System: People:

FTP: separate control, data connections TCP control connection FTP client contacts FTP port 21 server at port 21, specifying TCP as transport protocol TCP data connection FTP, SMTP and DNS Client obtains authorization FTP FTP port

443 views • 3 slides

More recommend