Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Forensics & Protection

Published byAbraham McKenzie Modified over 7 years ago

Similar presentations

Presentation on theme: "DNS Forensics & Protection"— Presentation transcript:

1 DNS Forensics & Protection
Paul V. Mockapetris UPMC / Nominum

2 Why DNS Forensics? The Domain Name System (DNS) has long been used to estimate the population of the Internet and is used heavily by almost all network applications, whether normal or malicious. DNS traffic can be thought of as the "pulse, blood pressure and temperature" of the net. The opportunity is to use DNS traffic to analyze network health and activity, recognize anomalous behavior, and then detect and defeat malicious activity

3 Qui Bono? End user can understand activity, vulnerabilities and take countermeasures. Rogue Hot spots / Kaminsky Virus infections (botnet C & C) Network provider can Prevent and inhibit malware activity Understand and optimize traffic Warn re undesired content Obvious privacy concerns

4 DNS activity on my XP system after power switched on
wpad IN A cr-tools.clients.google.com. IN A bw-printer-4.nominum.com. IN A in-addr.arpa. IN PTR download632.avast.com. IN A in-addr.arpa. IN PTR color-printer-1.nominum.com. IN A download894.avast.com. IN A color-printer-2.nominum.com. IN A color-printer-3.nominum.com. IN A in-addr.arpa. IN PTR WPAD to discover web proxies

5 After login cr-tools.clients.google.com. IN A armmf.adobe.com. IN A
armdl.adobe.com. IN A

6 Start Firefox desktop4.google.com. IN A finance.yahoo.com. IN A l.yimg.com. IN A ads.yldmgrimg.net. IN A ads.bluelithium.com. IN A query.yahooapis.com. IN A ad.doubleclick.net. IN A ad.wsod.com. IN A ad.yieldmanager.com. IN A s0.2mdn.net. IN A yui.yahooapis.com. IN A e.yimg.com. IN A us.bc.yahoo.com. IN A admedia.wsod.com. IN A streamerapi.finance.yahoo.com. IN A a.l.yimg.com. IN A

7 The Lifecycle of a Bot Network
C&C Bot Master 3. Bot gets instructions from Command and Control (C&C) server Where to address the issue? 2. User visits site and is infected via “drive by download” Malware and becomes part of Botnet 1. Spam entices user to badsite.com 4. Steal confidential data and upload to a “drop site” Innocent User

8 Layering the Defense Use DNS to distribute real time threat information Using that: Block or warn the user about spam or web pages that seek to lure the user to infection sites. Block or warn the user about downloads from malware sites. Block command and control server activities. Block exfiltration of data to known bad sites. Learn about the sites that infections access. Use that information to update the reputation feed.

9 DNS and the Future of Cyber Defense
Botnet C&C Bot Master 3 – Bot gets instructions from Command and Control (C&C) server 2 – User visits site and is infected via “drive by download” Malware and becomes part of Botnet 1 – Spam entices user to badsite.com 4 – Steal confidential data and upload to a “drop site” Innocent User

10 Network Protection Center
Ideal Case Network Protection Center Outside Threat Source Data Data Processing System Data Import System Data Collection Data Publishing ISP Vantio DNS Servers Server log reputation data External DNS lookups DNS queries

11 Sizing Typical Case: 2 redundant DS servers
Assume 50,000 users Server peak query rate 50, ,300,000 Q/S 80% handled from cache 1 query = 1 response 20% involve traffic to other servers Botnets that don’t want to be found

12 Network Protection Center
Real Case Network Protection Center Outside Threat Source Data Data Processing System Data Import System Data Collection Data Publishing ISP Vantio DNS Servers Server log reputation data External DNS lookups DNS queries DNS queries to GoogleDNS, OpenDNS, AkamiDNS, Hotspot tunnels…

13 Real Sizing Sensors: Data Evaluation
Generate peak of Mbyte/sec ? Mbytes/sec from port 53 taps? Anonymous that wants to DDOS Data Evaluation Inline that taxes server? Network center taxes backhaul (Hadoop anyone?)

14 Last problem(s) We can’t disrupt DNS service while we experiment with data filters We may want to run multiple filters & algorithms in parallel Some reputation data is hashed; most ISPs won’t let us look at the data; everyone wants attribution for blocking rules

15 PVM Theory 1: Privacy Bring DNSSEC protection to the user’s machine.
Let & encourage the user to use reputation data to edit DNS content. Let & encourage the user to outsource the operation to an ISP or other provided that user privacy is protected.

16 PVM Theory 2: Mechanism Think of the DNS server & Port 53 tap logic as data flow problems, or perhaps pipes Two primary types Rapid filters inline in DNS server Export to Hadoop via big buffer Provide trusted and debug environments

Download ppt "DNS Forensics & Protection"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.
Evolving Threats Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE Florida PI License C2800597 Forensics & Recovery LLC Florida.

Evolving Threats Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE Florida PI License C Forensics & Recovery LLC Florida.
CSC8320. Outline Content from the book Recent Work Future Work.

CSC8320. Outline Content from the book Recent Work Future Work.

Similar presentations

Ads by Google