«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains.

Slides:



Advertisements
Similar presentations
Dynamics of Online Scam Hosting Infrastructure
Advertisements

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Describe four (4) services that are part of the TCP/IP protocol suite that would probably be implemented within a network centre to manage: naming within.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
20101 The Application Layer Domain Name System Chapter 7.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Application Layer At long last we can ask the question - how does the user interface with the network?
IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
«ccTLD.RU: regulation» Pavel Khramtsov Moscow-2008.
DOMAIN NAME SYSTEM. Domain Name System Hostname Resolution DNS Name Lookup with DNS Domain Name Servers DNS Database Reverse Lookups.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
DNS: Domain Name System Mark Ciocco Chris Janik Networks Class Presentation Tuesday April 18, 2000 To insert your company logo on this slide From the Insert.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
IIT Indore © Neminath Hubballi
Arthur Harris Gennadiy Kofman James Mendoza Domain Name System.
Computer Networks. IP Addresses Before we communicate with a computer on the network we have to be able to identify it. Every computer on a network must.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor Craig Shue
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
1 Kyung Hee University Chapter 18 Domain Name System.
Fast-Flux Service Networks. Speaker Founder of the Honeynet Project. Information security eleven years, four as senior security architect for Sun Microsystems.
.LV today and tomorrow Katrīna Sataki, NIC.LV Riga, 19 April 2013.
The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Japan Registry Service Copyright © 2002 Japan Registry Service Co., Ltd. Consideration on DNS Service Level Shinta Sato Japan Registry.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
BZUPAGES.COM. Presented to: Sir. Muizuddin sb Presented by: M.Sheraz Anjum Roll NO Atif Aneaq Roll NO Khurram Shehzad Roll NO Wasif.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
4343 X2 – The Application Layer Tanenbaum Chapter 7.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Domain Name System (DNS) The Technology Context – B101 Coursework 2 The Technology Context – B101.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
DNS Security Advanced Network Security Peter Reiher August, 2014
Domain Name Registration, ICANN, Registrars & Hosting Options
Principles of Computer Security
The Internet.
Lecture Computer Networks DNS (Domain Name System)
INTERNET APPLICATIONS
Computer Networks Primary, Secondary and Root Servers
Windows Name Resolution
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains

RU-CENTER -  Spoofing – DNS server`s answer substitution (solution – DNSSEC).  Confiker – botnet creator (solution – preventive bulk registration)  Fast-flux – dynamic change of the address resource record – name/address link(solution – UNKNOUN!!!). DNS – the most popular themes (threads)

RU-CENTER - Fast-Flux: term definition  “Fast flux” refers to rapid and repeated changes to an Internet host (A) and/or name server (NS) resource record in a DNS zone, which have the effect of rapidly changing the location (IP address) to which the domain name of an A or NS resolves.  Fast flux attack networks are robust, resource obfuscating service delivery infrastructures. Such infrastructures make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them.

RU-CENTER - DNS - server 1. Site.ru A ? 2. Site.ru A HTTP – server ( ) User 3. GET HTTP/1.1http://site.ru Host: site.ru Ok… DNS & Web

RU-CENTER - Cache DNS - server 1. Site.ru A ? 8. Site.ru A HTTP – server ( ) User 9. GET HTTP/1.1 Host: site.ru Ok… DNS & Web in detail 2. Site.ru A ? 3..ru NS ns2.ripn.net ROOT 4. Site.ru A ? 5..site.ru NS n1.site.ru Ns2.ripn.net 6. Site.ru A ? 7. Site.ru TTL A Ns1.site.ru

RU-CENTER - центр регистрации доменов 6 DNS - server 1. Site.ru A ? 2. Site.ru A x User 3. GET HTTP/1.1 Host: site.ru Ok… HTTP – reverse - proxy - сервер … Reverse proxy using Source server

RU-CENTER - центр регистрации доменов 7 Cache DNS -server 2. Site.ru A x y z … Users 3. GET HTTP/1.1 Host: site.ru Ok… HTTP – reverse - proxy - сервер x y z … 1. Site.ru A ? Reverse proxy using & botnets Hidden content server Botnet It is a small TTL that permits fast A records changing A set of the hosts routed throw varied AS

RU-CENTER - центр регистрации доменов 8  multiple IPs per NS spanning multiple ASNs,  frequent NS changes,  in-addrs.arpa or IPs lying within consumer broadband allocation blocks,  domain name age,  poor quality WHOIS,  determination that the nginx proxy is running on the addressed machine: nginx is commonly used to hide/proxy illegal web servers,  the domain name is one of possibly many domain names under the name of a registrant whose domain administration account has been compromised, and the attacker has altered domain name information without authorization. Fast-flux “fingerprints”

RU-CENTER - центр регистрации доменов 9 Top-10 Botnet countries ( - 19/04/2009) RankCountry# of botsin % 1 Russian Federation % 2United States % 3Germany % 4Israel7608 5% 5Korea4665 3% 6Spain4330 3% 7United Kingdom3689 3% 8Italy3396 2% 9France3122 2% 10Romania2830 2% -other %

RU-CENTER - центр регистрации доменов 10 Russian AS & bots ( - 19/04/2009) RankAS numberAS name# of bots CORBINA-AS Corbina Telecom 10' ASN-SPBNIT OJSC North-West Telecom Autonomous System 3' CNT-AS CNT Autonomous System 3' DINET-AS Digital Network JSC TRCODINTSOVO-AS TRC Odintsovo TI-AS NetByNet Holding ISKRATELECOM-AS Iskratelecom Autonomous System NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod USI Uralsviazinform AROMA-LESK-AS Aroma Lesk Ltd. 352

RU-CENTER - центр регистрации доменов 11 ccTLD & Bots RankZoneFast-fluxDomainsFast-flux domains per SU ,55 2.CN ,17 3.BZ ,22 4.COM ,15 5.RU ,01 ( ICANN WG report , Source: Arbor, 2008)

RU-CENTER - центр регистрации доменов 12  Select all distinct domain names from the log of the DNS-server. It`d be better to take log of an authoritative server of the zone.  Test this list against DNS to obtain TTL & IP- address for each domain name few times (100 times for example).  Focus on the names with TTL < 1000 & multiple Ips  Take away from the list Google, Yandex, … Our research: method Then…

RU-CENTER - центр регистрации доменов 13  We received Geography and AS distribution for each domain from the list.  We received intersection with the providers access pools for each Domain. Our research: method It is high probability that “fast-flux” domain has Geographic distribution & AS distribution of its IPs set and belongs to the provider`s access pool.

RU-CENTER - Our research: results Summary results: DescriptionValue Number of the domains with TTL < 1000 & multiple IPs1633 Number of the second level domains with TTL < 1000 & multiple IPs522 Number of the nnn.ru domains with TTL < 1000 & multiple IPs312 Number of the domain names pointing to the end user access pools including: - Geographic Distribution - AS Distribution

RU-CENTER - Our research: results Top-5 domains: DomainQueries ns6.b6f.ru Ns1.ut9.ru (Zimbra server) ns2.Ew0.ru (Zimbra server) NS3.wAntdrOOl.ru Ns1.wEbshopmAG.ru96833 Another tipical name: wnacsspa1j4i.odnoklassniki.x8m.ru.

RU-CENTER - Our research: results Top-5 Countries: CountryDomains Germany350 France349 Poland40 Netherland34 Taiwan32

RU-CENTER - Our research: results Russian AS names & end user access pools: AS nameDomains AGAVA 347 Unknown 1 INAR-VOLOGDA-AS 1 RINET-AS 1

RU-CENTER - Our research: results Registrars & end user access pools: Russian registrar (dif.Regions)Domains NAUNET-REG-RIPN 98 REGRU-REG-RIPN 102 REGTIME-REG-RIPN 183 RIPN-REG-RIPN 1

RU-CENTER - Conclusions 1.TTL & multiple IPs are enough for crude estimation 2.Domain names IPs & und user access pool intersection gives us more precious detection 3.Geographic & AS improve detection

RU-CENTER - Вопросы?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.