Detection of DNS Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak|celeda|vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014, Rennes, France
Part I Introduction Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 2 / 21
Motivation Almost every Internet communication is preceded by a translation of a domain name to an IP address. Root DNS DNS Web Resolver Server TLD DNS Web Computer Server Autoritative DNS for a domain Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 3 / 21
Motivation Almost every Internet communication is preceded by a translation of a domain name to an IP address. Root DNS DNS Web Resolver Server TLD DNS Web Computer Server Autoritative DNS for a domain Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 3 / 21
Motivation Almost every Internet communication is preceded by a translation of a domain name to an IP address. Root DNS DNS Web Resolver Server TLD DNS Web Computer Server Autoritative DNS for a domain Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 3 / 21
Motivation Almost every Internet communication is preceded by a translation of a domain name to an IP address. Root DNS DNS Web Resolver Server TLD DNS Web Computer Server Autoritative DNS for a domain DNS Traffic Monitoring Benefits DNS packets are not encrypted. Knowledge of a queried domain can extend capabilities of current anomaly detection methods. Possibility to detect anomalies in a DNS traffic itself. Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 3 / 21
DNS Traffic Attacks and Anomalies Malicious domains queries Botnet C&C (domain-flux and fast-flux domains), Malware spread, . . . Amplification DDoS attacks And many others . . . Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 4 / 21
DNS Traffic Attacks and Anomalies Malicious domains queries Botnet C&C (domain-flux and fast-flux domains), Malware spread, . . . Amplification DDoS attacks And many others . . . DNS Query:7fkfkfkfa.com7ANY Source7IP:7192.168.254.6 Size:7727B Attacker DNS DNS Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 4 / 21
DNS Traffic Attacks and Anomalies Malicious domains queries Botnet C&C (domain-flux and fast-flux domains), Malware spread, . . . Amplification DDoS attacks And many others . . . DNS Query:zfkfkfkfa.comzANY Answer:z204.46.43.28z... SourcezIP:z192.168.254.6 DstzIP:z192.168.254.6 Size:z72zB Size:z4015zB Attacker DNS Victim 192.168.254.6 DNS Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 4 / 21
Research Questions How can DNS traffic be effectively analysed in large 1 networks? Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 5 / 21
Research Questions How can DNS traffic be effectively analysed in large 1 networks? What are the differences in the analysis of DNS traffic using 2 standard and extended flow records? Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 5 / 21
Research Questions How can DNS traffic be effectively analysed in large 1 networks? What are the differences in the analysis of DNS traffic using 2 standard and extended flow records? What are the advantages of combinating DNS traffic 3 information with flow records for network anomaly detection? Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 5 / 21
Part II DNS Traffic Monitoring Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 6 / 21
Flow Based DNS Traffic Monitoring DNS Server Internet TAP Flow Probe SrcA&ADstAIPAaddress Flow SrcA&ADstAport Collector ProtocolAnumber FlowAdata Duration NumberAofApackets SumAofAbytes FlowARecord Standard Flow Record F = ( IP src , IP dst , P src , P dst , Prot , T start , T dur , Pckts , Octs , Flags ) Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 7 / 21
Flow Based DNS Traffic Monitoring DNS Server Internet TAP Flow Probe SrcA&ADstAIPAaddress Flow SrcA&ADstAport Collector ProtocolAnumber FlowAdata Duration NumberAofApackets SumAofAbytes FlowARecord Standard Flow Record F = ( IP src , IP dst , P src , P dst , Prot , T start , T dur , Pckts , Octs , Flags ) DNS Flow Record F DNS = ( Qname , Qtype , Rcode , Rdata ) Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 7 / 21
Flow Based DNS Traffic Monitoring DNS Server Internet TAP Src & Dst IP address Flow Src & Dst port Probe Protocol number Flow Duration Collector Number of packets Flow data Sum of bytes Qname & Qtype Rcode Rdata Extended Flow Record Extended Flow Record F ext = F · F DNS = ( IP src , IP dst , P src , P dst , Prot , T start , T dur , Pckts , Octs , Flags , Qname , Qtype , Rcode , Rdata ) Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 7 / 21
Flow Based DNS Traffic Monitoring Cumulative Distribution Function of DNS Packets per Flow 1.00 P[X<=x] 0.99 DNSnQueriesn-nUDPndstnportn53 DNSnAnswersn-nUDPnsrcnportn53n 0.98 1 10 100 Packets Up to 99 % of flows with port 53 contain only one packet. ⇒ Flow aggregation is not used. Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 8 / 21
Extended Flow Expiration Algorithm GenerateExtendedFlow (incoming packet) Parse flow information F from incoming packet header. 1 Check if incoming packet contains a valid DNS header. 2 Parse DNS packet and create a flow record F ext = F · F DNS . 3 Export a flow record F ext without storing in a flow cache. 4 Otherwise update flow record F in a flow cache. 5 Main Contribution occupation due to immediate export of a flow record. ! Significant reduction of flow cache memory Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 9 / 21
Part III DNS Traffic Anomaly Detection Using Standard Flows Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 10 / 21
Amplification DDoS Attack Internet LAN Web Server Rogue DNS Resolver TAP Attacker Flow Probe The attack is characterised by a large amount of same queries with spoofed IP address. Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 11 / 21
Amplification DDoS Attack Internet LAN Web Server Rogue DNS Resolver TAP Attacker Flow Probe The attack is characterised by a large amount of same queries with spoofed IP address. Detection Method Increasing count of flows, with high bytes-per-packet ratio and the source port 53. Access control lists reflecting network security policy. Usually threshold adjustment is required . Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 11 / 21
Part IV DNS Traffic Anomaly Detection Using Extended Flows Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 12 / 21
Amplification DDoS Attack Internet LAN Web Server Rogue DNS Resolver TAP Attacker Flow Probe Detection Method Malware infected device or misconfigured DNS resolver recognition instead of using basic flow statistics. Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 13 / 21
Amplification DDoS Attack Internet LAN Web Server Rogue DNS Resolver TAP Attacker Flow Probe Detection Method Malware infected device or misconfigured DNS resolver recognition instead of using basic flow statistics. ⇒ The problem is to distinguish a regular DNS server responding to a query containing a local domain. Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 13 / 21
Amplification DDoS Attack DetectOpenDNSResolver (DNS response) Request all information about a domain F ext . Qname in the 1 response by ANY query type. Check if the result contains at least one IP address from 2 a local network. If yes, then add domain to a whitelist of local domains. 3 Otherwise report F ext . IP src as open DNS resolver. 4 Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 14 / 21
Amplification DDoS Attack DetectOpenDNSResolver (DNS response) Request all information about a domain F ext . Qname in the 1 response by ANY query type. Check if the result contains at least one IP address from 2 a local network. If yes, then add domain to a whitelist of local domains. 3 Otherwise report F ext . IP src as open DNS resolver. 4 Detection Results Matching results Open Resolver Scanning Project Proposed algorithm 0 20 40 60 80 100 120 140 160 180 200 220 Detections Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 14 / 21
External DNS Resolver Usage Detection Internet LAN Client DNS Resolver DNS TAP Resolver Flow Probe Usage of an external DNS resolver may cause delay and also presents a security risk if the external DNS resolver responds with fraudulent IP addresses. Detection Method In well-maintained networks is based on access control lists. In not well-maintained networks is a problem to distinguish between a client device and a local DNS resolver . Milan Čermák et al. Detection of DNS Traffic Anomalies in Large Networks 15 / 21
Recommend
More recommend