Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Forensics & Protection

Similar presentations


Presentation on theme: "DNS Forensics & Protection"— Presentation transcript:

1 DNS Forensics & Protection
Paul V. Mockapetris UPMC / Nominum

2 Why DNS Forensics? The Domain Name System (DNS) has long been used to estimate the population of the Internet and is used heavily by almost all network applications, whether normal or malicious. DNS traffic can be thought of as the "pulse, blood pressure and temperature" of the net. The opportunity is to use DNS traffic to analyze network health and activity, recognize anomalous behavior, and then detect and defeat malicious activity

3 Qui Bono? End user can understand activity, vulnerabilities and take countermeasures. Rogue Hot spots / Kaminsky Virus infections (botnet C & C) Network provider can Prevent and inhibit malware activity Understand and optimize traffic Warn re undesired content Obvious privacy concerns

4 DNS activity on my XP system after power switched on
wpad IN A cr-tools.clients.google.com. IN A bw-printer-4.nominum.com. IN A in-addr.arpa. IN PTR download632.avast.com. IN A in-addr.arpa. IN PTR color-printer-1.nominum.com. IN A download894.avast.com. IN A color-printer-2.nominum.com. IN A color-printer-3.nominum.com. IN A in-addr.arpa. IN PTR WPAD to discover web proxies

5 After login cr-tools.clients.google.com. IN A armmf.adobe.com. IN A
armdl.adobe.com. IN A

6 Start Firefox desktop4.google.com. IN A finance.yahoo.com. IN A l.yimg.com. IN A ads.yldmgrimg.net. IN A ads.bluelithium.com. IN A query.yahooapis.com. IN A ad.doubleclick.net. IN A ad.wsod.com. IN A ad.yieldmanager.com. IN A s0.2mdn.net. IN A yui.yahooapis.com. IN A e.yimg.com. IN A us.bc.yahoo.com. IN A admedia.wsod.com. IN A streamerapi.finance.yahoo.com. IN A a.l.yimg.com. IN A

7 The Lifecycle of a Bot Network
C&C Bot Master 3. Bot gets instructions from Command and Control (C&C) server Where to address the issue? 2. User visits site and is infected via “drive by download” Malware and becomes part of Botnet 1. Spam entices user to badsite.com 4. Steal confidential data and upload to a “drop site” Innocent User

8 Layering the Defense Use DNS to distribute real time threat information Using that: Block or warn the user about spam or web pages that seek to lure the user to infection sites. Block or warn the user about downloads from malware sites. Block command and control server activities. Block exfiltration of data to known bad sites. Learn about the sites that infections access. Use that information to update the reputation feed.

9 DNS and the Future of Cyber Defense
Botnet C&C Bot Master 3 – Bot gets instructions from Command and Control (C&C) server 2 – User visits site and is infected via “drive by download” Malware and becomes part of Botnet 1 – Spam entices user to badsite.com 4 – Steal confidential data and upload to a “drop site” Innocent User

10 Network Protection Center
Ideal Case Network Protection Center Outside Threat Source Data Data Processing System Data Import System Data Collection Data Publishing ISP Vantio DNS Servers Server log reputation data External DNS lookups DNS queries

11 Sizing Typical Case: 2 redundant DS servers
Assume 50,000 users Server peak query rate 50, ,300,000 Q/S 80% handled from cache 1 query = 1 response 20% involve traffic to other servers Botnets that don’t want to be found

12 Network Protection Center
Real Case Network Protection Center Outside Threat Source Data Data Processing System Data Import System Data Collection Data Publishing ISP Vantio DNS Servers Server log reputation data External DNS lookups DNS queries DNS queries to GoogleDNS, OpenDNS, AkamiDNS, Hotspot tunnels…

13 Real Sizing Sensors: Data Evaluation
Generate peak of Mbyte/sec ? Mbytes/sec from port 53 taps? Anonymous that wants to DDOS Data Evaluation Inline that taxes server? Network center taxes backhaul (Hadoop anyone?)

14 Last problem(s) We can’t disrupt DNS service while we experiment with data filters We may want to run multiple filters & algorithms in parallel Some reputation data is hashed; most ISPs won’t let us look at the data; everyone wants attribution for blocking rules

15 PVM Theory 1: Privacy Bring DNSSEC protection to the user’s machine.
Let & encourage the user to use reputation data to edit DNS content. Let & encourage the user to outsource the operation to an ISP or other provided that user privacy is protected.

16 PVM Theory 2: Mechanism Think of the DNS server & Port 53 tap logic as data flow problems, or perhaps pipes Two primary types Rapid filters inline in DNS server Export to Hadoop via big buffer Provide trusted and debug environments


Download ppt "DNS Forensics & Protection"

Similar presentations


Ads by Google