further aspects of passive dns
play

Further Aspects of Passive DNS Datamining, visualization and - PowerPoint PPT Presentation

Jan 26, 2024 •169 likes •435 views

Further Aspects of Passive DNS Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu), L. Aaron Kaplan (CERT.at), David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

  1. Further Aspects of Passive DNS Datamining, visualization and alternative implementations Sebastien Tricaud (PicViz), Alexandre Dulaunoy (CIRCL.lu), L. Aaron Kaplan (CERT.at), David Durvaux (CERT.be), John Kristoff (Team Cymru) June 19, 2012

  2. Disclaimer • Passive DNS is a technique to collect only valid answers from authoritative or caching nameservers • By its design, privacy is preserved (e.g. no source IP addresses from resolvers are captured 1 ) • DNS data collected is only publicly known DNS data • The research is done in the sole purpose to detect malicious IP/domains or content to better protect users • Passive DNS implementations are subject to local rules 1 Except if an application abuses DNS answers to track back their users. 2 of 26

  3. “Passive DNS is to DNS ops as NetFlow is to net ops.” John Kristoff 3 of 26

  4. Passive DNS - how it works 4 of 26

  5. What’s the purpose? Some examples... 5 of 26

  6. Detection of shared compromised web hosting - the enisa.eu case • Regularly malicious links are posted on compromised systems • What are the other services or domains hosted on the same A/AAAA record? • What happens to ”infected” redirect (because the web hosting server is infected)? • How Passive DNS can help? 6 of 26

  7. EG (Egypt being offline) • Discover non resolvable domains using nameserver in Egypt • Interesting discovery randomstring .medicpills.ru ( → less spam?) • BIT.LY case is similar (when Libya was offline) • Passive DNS helps to find interdependecies among services 7 of 26

  8. Malware infection • History of a domain name in conjunction with Netflow records • Find shorted lived domain names • Get back the A/AAAA records • and find infected PCs in your Netflow. • Quick win! 8 of 26

  9. Passive DNS implementations • CERT.lv passive dns • BFK (F. Weimer a ) passive dns • ISC DNSDB a • CIRCL pdns-toolkit b • The University of • CERT.at passive dns c Auckland DNS History • CERT.ee passive dns Database Project (DHDB) a Presented at FIRST 2005 • Team Cymru passive dns b github.com/adulau/pdns-toolkit/ c access upon request a https://dnsdb.isc.org/ 9 of 26

  10. Passive DNS design comparison - an ecosystem CIRCL pdns-toolkit CERT.at passive dns datastore Redis PostgreSQL + memcached storage memory hybrid exhaustive - + space efficient ++ + input pcap, dnscap output nmsg open source yes ask 10 of 26

  11. Some statistics from the CERT.at Passive DNS. . . 11 of 26

  12. Storing Passive DNS - CIRCL.lu perspective • Implementing the storage of a Passive DNS can be challenging • Starting from standard RDBMS and then moved to a key-value store • We learned to hate 2 hard disk drive and to love random access memory • Loving memory is great especially when it’s now cheap and addressable in 64bits 2 exception → only used for data store snapshot 12 of 26

  13. Passive DNS + Ranked domains - Where visualization can help • Now, we have 50 millions lines of ranked hostname... ... www.stopacta.info. www.vista-care.com. breadworld.com. o-o.resolver.A.B.C.D.5xevqnwsds5zdq34.metricz.\ l.google.com. www.thechinagarden.com. smtp10.dti.ne.jp. ... 13 of 26

  14. Why visualization? • Understand big data • Find stuff we cannot guess 14 of 26

  15. Choosing Parallel Coordinates • Display as much dimensions wanted (yes, as many ) • Display as much data wanted (I mean it!) 15 of 26

  16. Interesting patterns 16 of 26

  17. Picvizing a CIRCL passive DNS dataset 17 of 26

  18. Picviz with subdomains split 18 of 26

  19. Reward: highest is youtube 19 of 26

  20. Subdomain entropy Only one sub-domain has an entropy 3 > 4.8 3 Shannon entropy 20 of 26

  21. Subdomain entropy Only one sub-domain has an entropy 4 > 4.8 4 Shannon entropy 21 of 26

  22. Scatter plot - finding outliers 22 of 26

  23. Scatter plot - finding outliers - covert channel? 030066363663643937306531[..].36393764313333653763.lbl8.mailshell.net t10000.u1318235395163.s203679668[..]-1329.zv6lit-null.zrdtd-1311.zr6td- null.results.potaroo.net 03003064303831663965386[..].64306561343837346533.lbl8.mailshell.net 23 of 26

  24. Searching for Zeus Using the broad Polish CERT regex [a-z0-9]{32,48}\.(ru|com|biz|info|org|net) • We get some cool domains: ◦ cg79wo20kl92doowfn01oqpo9mdieowv5tyj.com ◦ eef795a4eddaf1e7bd79212acc9dde16.net • but more important we got a visualization profile to find outliers not matching the regexp 24 of 26

  25. Conclusion • Passive DNS is an infinite source of security data mining • A team of passive DNS is at your services, contact us! • (adequate) Visualization is an appropriate way to discover unknown malicious or suspicious services • This finally helps CSIRTs to act earlier on the incidents • Common output format for different implementations (work in progress) 25 of 26

  26. Q&A • alexandre.dulaunoy@circl.lu • sebastien@honeynet.org • kaplan@cert.at • david.durvaux@cert.be • jtk@cymru.com 26 of 26

Recommend

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H.

A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H.

Technical Aspects of Multimodal System Dept. Informatics, Faculty of Mathematics, Informatics and Natural Sciences University of Hamburg A Novel Passive Adhesion Principle and Application for an Inspired Climbing Caterpillar Robot H. Zhang,

408 views • 16 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

651 views • 33 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions: blame-shifting scientific writing Acquisition Active Voice: the subject performs the action of the verb Example: The dog attacked my neighbor.

595 views • 21 slides
How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero

How Fast Does a Passive Scalar Decay? (Decay of Chaotically Advected Passive Scalars in the Zero Diffusivity Limit) Yue-Kin Tsang Courant Institute of Mathematical Sciences New York University Thomas M. Antonsen, Jr. and Edward Ott University

381 views • 24 slides
Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil Article Geo Expo Article AAGP Explorer Article Basic Equipment Gear and ATV Seismometer Data Recorder Monitor Hookup Problems Problems Wind

733 views • 42 slides
1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

1 Measurement Passive Measurements Sprint has a passive measurement architecture Passive

Introduction Impact of Link Failures on VoIP Performance Tier-1 ISPs interested in providing Voice- Over-IP (VoIP) Need to provide quality International Workshop on Network and Operating Voice quality and availability System

394 views • 6 slides
Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith,

Passive Voice vs. Active Voice 1 06.19.10 || English 1301: Composition I || D. Glen Smith, instructor Passive Verbs Avoid excessive use of passive verbs. They can bog down descriptive writing and create boring sentences. (See Bedford p 142.)

202 views • 5 slides
PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE

PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE

PASSIVE HOUSE: Building Inherent Value Owner/Developer: Homeowners Rehab FINCH CAMBRIDGE 98 affordable family units Opening April 1 2020 Surge in Interest in Passive House in MA Fall 2018: Mass CEC Passive House Design Incentives

626 views • 20 slides
Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ

Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ

Passive Sampling of Porewater Porewater for the for the Passive Sampling of In- -situ Assessment of Bioavailability situ Assessment of Bioavailability In Danny D. Reible, PhD, PE, DEE, NAE University of Texas Linking Sediment Exposure and

543 views • 23 slides
Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety

Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety

The Heart of Passive Safety (Electronics) is Still Beating Tom Borninski Autoliv Electronics America Passive Safety and Our Naming Problem With ~15 years and many millions of these hearts of passive safety in existence, we still

269 views • 11 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Use-cases for Passive Measurement in Wireless Networks

Use-cases for Passive Measurement in Wireless Networks

Use-cases for Passive Measurement in Wireless Networks dra9-deng-ippm-passive-wireless-usecase-00 Lingli Deng, China Mobile Lianshu Zheng, Huawei

87 views • 8 slides
Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 9 1 / 43 Introduction 1 2 The Relationship between Active and Passive Approaches to Passive 3 From Structural

597 views • 43 slides
Some aspects of physics Some aspects of physics beyond the SM at the LHC beyond the SM at the

Some aspects of physics Some aspects of physics beyond the SM at the LHC beyond the SM at the

Some aspects of physics Some aspects of physics beyond the SM at the LHC beyond the SM at the LHC PASCOS 2012 Merida, Mxico Alberto Casas (IFT-UAM/CSIC, Madrid) Main purposes of the LHC Main purposes of the LHC Great LHC performance

890 views • 54 slides
Pacific Passive House certifications How not to kill a Passive House project Clare Parry

Pacific Passive House certifications How not to kill a Passive House project Clare Parry

Slide 1 Lessons learned from South Pacific Passive House certifications How not to kill a Passive House project Clare Parry & Jason Quinn Slide 2 2 Hard-Fought Lessons Learned SIMPLE BUT NOT EASY clare.parry@grunconsulting.com

474 views • 14 slides
. . . . . . . . . . . . CERTIFIED PASSIVE HOUSE . . . MALLOW, CO. CORK North facing slope

. . . . . . . . . . . . CERTIFIED PASSIVE HOUSE . . . MALLOW, CO. CORK North facing slope

THE PATCHWORK QUILT PASSIVE HOUSE PASSIVE HOUSE . . . . . . . . . . . . CERTIFIED PASSIVE HOUSE . . . MALLOW, CO. CORK North facing slope Public road to north Public road to north Existing buildings to south . . . . . . . . . . . .

592 views • 20 slides
35b Integration Massage: Swedish and Passive Stretches 35b Integration Massage: Swedish and Passive

35b Integration Massage: Swedish and Passive Stretches 35b Integration Massage: Swedish and Passive

35b Integration Massage: Swedish and Passive Stretches 35b Integration Massage: Swedish and Passive Stretches Class Outline 5 minutes Attendance, Breath of Arrival, and Reminders 15 minutes Pep talk 70 minutes 1st massage 20 minutes

252 views • 9 slides
Access to Passive Infrastructure : Definitions and Process Mohamed El Bashir Technical Affairs

Access to Passive Infrastructure : Definitions and Process Mohamed El Bashir Technical Affairs

Access to Passive Infrastructure : Definitions and Process Mohamed El Bashir Technical Affairs Manager, Communications Regulatory Authority The State of Qatar Passive Infrastructure : Distribution Network Internet Users demand high

495 views • 11 slides
contaminated sediments: Results of an international passive sampling ring test Michiel T.O.

contaminated sediments: Results of an international passive sampling ring test Michiel T.O.

Advancing the use of passive sampling in risk assessment and management of contaminated sediments: Results of an international passive sampling ring test Michiel T.O. Jonker, Stephan van der Heijden, Yongju Choi, Yanwen Wu, Loretta Fernandez,

410 views • 20 slides

More recommend