detection and mitigation of fast flux service networks
play

Detection and Mitigation of Fast-Flux Service Networks Thorsten - PowerPoint PPT Presentation

Dec 22, 2023 •198 likes •634 views

Detection and Mitigation of Fast-Flux Service Networks Thorsten Holz, Christian Gorecki, Felix Freiling, Konrad Rieck Pi1 - Laboratory for Dependable Distributed Systems Motivation Yesterday: presentation by Dagon Corrupt DNS

  1. Detection and Mitigation of Fast-Flux Service Networks Thorsten Holz, Christian Gorecki, Felix Freiling, Konrad Rieck Pi1 - Laboratory for Dependable Distributed Systems

  2. Motivation • Yesterday: presentation by Dagon • “Corrupt DNS Resolution Paths” • Today: How attackers use DNS for malicious purposes, e.g., scam hosting UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  3. Motivation • Yesterday: presentation by Dagon • “Corrupt DNS Resolution Paths” • Today: How attackers use DNS for malicious purposes, e.g., scam hosting $ dig isoc.org ;; ANSWER SECTION: isoc.org. 38679 IN A 206.131.241.137 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  4. Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A 125.59.103.156 dadusual.com. 300 IN A 218.254.9.205 dadusual.com. 300 IN A 62.65.233.109 dadusual.com. 300 IN A 76.181.194.207 dadusual.com. 300 IN A 77.41.18.139 dadusual.com. 300 IN A 78.84.69.132 dadusual.com. 300 IN A 78.106.115.147 dadusual.com. 300 IN A 78.106.180.151 dadusual.com. 300 IN A 78.106.200.47 dadusual.com. 300 IN A 78.106.224.174 dadusual.com. 300 IN A 79.120.43.191 dadusual.com. 300 IN A 80.222.32.58 dadusual.com. 300 IN A 84.62.186.63 dadusual.com. 300 IN A 85.177.42.179 dadusual.com. 300 IN A 85.181.225.55 dadusual.com. 300 IN A 89.112.4.172 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  5. Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A 125.59.103.156 cm125-59-103-156.hkcable.com.hk. dadusual.com. 300 IN A 218.254.9.205 cm218-254-9-205.hkcable.com.hk. dadusual.com. 300 IN A 62.65.233.109 pc109.host41.starman.ee. dadusual.com. 300 IN A 76.181.194.207 cpe-76-181-194-207.columbus.res.rr.com. dadusual.com. 300 IN A 77.41.18.139 host-77-41-18-139.qwerty.ru. dadusual.com. 300 IN A 78.84.69.132 dadusual.com. 300 IN A 78.106.115.147 dadusual.com. 300 IN A 78.106.180.151 dadusual.com. 300 IN A 78.106.200.47 dadusual.com. 300 IN A 78.106.224.174 dadusual.com. 300 IN A 79.120.43.191 dadusual.com. 300 IN A 80.222.32.58 dadusual.com. 300 IN A 84.62.186.63 dadusual.com. 300 IN A 85.177.42.179 dadusual.com. 300 IN A 85.181.225.55 dadusual.com. 300 IN A 89.112.4.172 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  6. Motivation UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  7. Outline • Introduction • Automated identification fast-flux domains • Measurement results • Two month period in July / August 2007 • Mitigation (briefly) • Conclusion UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  8. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems • Methods using DNS • Round-robin DNS • Content distribution networks (CDNs) UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  9. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 • Content distribution networks (CDNs) myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  10. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3409 IN A 216.178.38.116 myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 • Content distribution networks (CDNs) myspace.com. 3409 IN A 216.178.38.121 myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  11. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems $ dig myspace.com $ dig myspace.com $ dig myspace.com • Methods using DNS ;; ANSWER SECTION: ;; ANSWER SECTION: ;; ANSWER SECTION: • Round-robin DNS myspace.com. 3410 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.116 myspace.com. 3408 IN A 216.178.38.121 myspace.com. 3409 IN A 216.178.38.104 myspace.com. 3410 IN A 216.178.38.121 myspace.com. 3408 IN A 216.178.38.116 • Content distribution networks (CDNs) myspace.com. 3408 IN A 216.178.38.104 myspace.com. 3409 IN A 216.178.38.121 myspace.com. 3410 IN A 216.178.38.116 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  12. Introduction • Availability is important for commercial services • Techniques from the area of reliability engineering help to achieve availability • RAID or failover systems • Methods using DNS • Round-robin DNS • Content distribution networks (CDNs) UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  13. Introduction • Note: illegal commercial organizations also need high availability • Scammer only earns money if pharmacy shop is online • Phisher needs to have phishing site online • Our starting point: • How do attackers achieve high availability? UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  14. FFSNs • If scammers could advertise multiple IP addresses for a given domain, shutdown would be harder • Botherder could use idea behind RRDNS to split botnet across multiple C&C server • Technique used: Fast-flux service networks • Fast change in DNS answers • Recent paper by Honeynet Project UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  15. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  16. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A 69.183.26.53 thearmynext.info. 600 IN A 76.205.234.131 thearmynext.info. 600 IN A 85.177.96.105 thearmynext.info. 600 IN A 217.129.178.138 thearmynext.info. 600 IN A 24.98.252.230 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

  17. FFSNs • Given fast-flux domain returns few IP addresses from large pool of compromised machines (“flux agents”) • After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A 69.183.26.53 thearmynext.info. 600 IN A 76.205.234.131 thearmynext.info. 600 IN A 85.177.96.105 thearmynext.info. 600 IN A 217.129.178.138 thearmynext.info. 600 IN A 24.98.252.230 ;; ANSWER SECTION: thearmynext.info. 600 IN A 213.47.148.82 thearmynext.info. 600 IN A 213.91.251.16 thearmynext.info. 600 IN A 69.183.207.99 thearmynext.info. 600 IN A 91.148.168.92 thearmynext.info. 600 IN A 195.38.60.79 UNIVERSITÄT Thorsten Holz • NDSS’08 - “Detection and Mitigation of Fast-Flux Service Networks” MANNHEIM

Recommend

FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

Universit` a degli Studi di Milano Facolt` a di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari, Lorenzo

741 views • 35 slides
Think You Know Fast-Flux Domains? Think Again. New

Think You Know Fast-Flux Domains? Think Again. New

Think You Know Fast-Flux Domains? Think Again. New Trends in Fast-Flux Domains Wei Xu, Xinran Wang Palo Alto Networks What we used

453 views • 23 slides
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal Avoid detection and take down of web sites used for illegal purposes Technique Host illegal content at many sites Rapidly

617 views • 19 slides
Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025

Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025

Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025 Fast Flux Hosting and DNS Characterizes Fast Flux (FF) as an evasion technique that enables cybercriminals to extend lifetime of compromised hosts

447 views • 19 slides
Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux

Flux Box Flux Box A concept by Flux Laboratory Flux box : concept Flux box : concept What is Flux Laboratory? ! ! The Flux Box holds the archives of many years of Flux creations and Flux Laboratory is a pluridisciplinary space, based in both

262 views • 11 slides
Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Methods for Prevention, Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition: RFC 7908) K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky IDR Working Group Meeting,

244 views • 9 slides
Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service

Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service

Building Smart Broadband Networks TM Fast Reroute for Triple Play Networks Sachin Natu Product Management March 2006 IPTV Service Requirements IPTV Network Design Fast Reroute / Convergence Solutions - MPLS FRR - IGP Fast Convergence -

241 views • 21 slides
Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politcnica de Catalunya (UPC) Ashish Jain - (Guavus) TNC, Vilnius, 2 nd

378 views • 25 slides
FluxBuster Early Detec+on of Malicious Flux Networks via

FluxBuster Early Detec+on of Malicious Flux Networks via

FluxBuster Early Detec+on of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis Roberto Perdisci S ecurity N etwork University of Georgia I ntelligence

530 views • 15 slides
Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di

Detection of a gamma-ray halo around Geminga and implications for the e+ flux Based on M. Di Mauro, S. Manconi, F . Donato arXiv:1903.05647, subm. PRD and arXiv:1908.03216 Fiorenza Donato Torino University and INFN TAUP 2019 - Toyama,

387 views • 15 slides
Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What

Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What

Flux Correction of the Land Surface Temperature in the UM Model Chen Li, Dietmar Dommenget What is Flux Correction? Coupled with Fully coupled Uncoupled flux correction Pros: Fast, cheap and easy to apply; Mean state bias can be significant

499 views • 19 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation

GAARDIAN GNSS AVAILABILITY ACCURACY RELIABILITY anD GPS INTEGRITY ASSESSMENT Interference for TIMING and NAVIGATION Detection & Mitigation A Technology Strategy Board funded collaboration Charles Curry, B.Eng, FIET MD

514 views • 25 slides
THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the

THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the

1 THE KM3NET/ARCA DETECTION CAPABILITY TO A DIFFUSE FLUX OF COSMIC NEUTRINOS R. Coniglione for the KM3NeT collaboration INFN - LNS Catania (Italy) KM3NeT 2 KM3NeT is a distributed research infrastructure in the Mediterranean Sea hosting

257 views • 13 slides
Recap from Monday Visualizing Networks Caffe overview Slides are now online Today

Recap from Monday Visualizing Networks Caffe overview Slides are now online Today

Recap from Monday Visualizing Networks Caffe overview Slides are now online Today Edges and Regions, GPB Fast Edge Detection Using Structured Forests Zhihao Li Holistically-Nested Edge Detection Yuxin Wu

1k views • 44 slides
Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle

Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle

Test of thin Ultra-Fast Silicon Detectors (UFSD) for monitoring of high flux charged particle beams V.Monaco (Universit di Torino and INFN, Italy) Z.Amadi, R.Arcidiacono, A.Attili, N.Cartiglia, M.Donetti, F.Fausti, M.Ferrero, S.Giordanengo, O.

559 views • 25 slides
Asok Asok Ray Ray The Pennsylvania State University University Park, PA 16802 Email:

Asok Asok Ray Ray The Pennsylvania State University University Park, PA 16802 Email:

1 8 5 5 Seminar at Seminar at Nat National Inst onal Institut itute of S e of Standar andards and Technology ds and Technology ANOMALY DETECTION ANOMALY DETECTION AND FAILURE MITIGATION ND FAILURE MITIGATION IN COMPLEX DYNAMICAL SYSTEMS

444 views • 33 slides
HighSpeed TCP and Quick-Start for Fast Long-Distance Networks: * Workshop on Protocols for Fast

HighSpeed TCP and Quick-Start for Fast Long-Distance Networks: * Workshop on Protocols for Fast

HighSpeed TCP and Quick-Start for Fast Long-Distance Networks: * Workshop on Protocols for Fast Long-Distance Networks CERN, Geneva, Switzerland February 3-4, 2003 1 Topics: * HighSpeed TCP . URL: http://www.icir.org/floyd/hstcp.html

953 views • 29 slides
Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge

Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge

Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge Detection ICCV 2013 Code: http://research.microsoft.com/en-us/downloads/ 389109f6-b4e8-404c-84bf-239f7cbf4e3d/default.aspx (Time stamp: Sept 15, 2014)

744 views • 35 slides
Cities networks metaphor Navigating culture as flux, the idea of culture as flow and that

Cities networks metaphor Navigating culture as flux, the idea of culture as flow and that

Cities networks metaphor Navigating culture as flux, the idea of culture as flow and that cultures are open, dynamic and constantly changing entities or practices Intercultural Competence Council of Europe, Directorate of

295 views • 12 slides
Koopman Operator Approach for Instability Detection and Mitigation IEEE International Conference

Koopman Operator Approach for Instability Detection and Mitigation IEEE International Conference

Koopman Operator Approach for Instability Detection and Mitigation IEEE International Conference on Intelligent Transportation Systems Esther Ling*, Lillian Ratliff**, Samuel Coogan* * Georgia Institute of Technology ** University of

220 views • 19 slides
Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Introduction - Motivation - Fault Model - Measurement Setup Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning Algorithm - Fault Detection - Fault Tolerance Hybrid Positioning Algorithm Christos

708 views • 41 slides
Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques (NIT-K) S. K. Pal Defence Research & Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
Recognition Topics that we will try to cover: Indexing for fast retrieval (we still owe this one)

Recognition Topics that we will try to cover: Indexing for fast retrieval (we still owe this one)

Recognition Topics that we will try to cover: Indexing for fast retrieval (we still owe this one) Object classification (we did this one already) Neural Networks Object class detection Hough-voting techniques Support Vector Machines (SVM)

931 views • 66 slides

More recommend