Host profiling based on remote measurements Robert Kulzer Advisor: Ralph Holz Master Thesis Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen January 9, 2013 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 1
Motivation Flaws in modern day Web security environment Gutmann example: Browser PKI Dubious domain having a valid SSL certificate Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 2
Motivation Diversification of defense mechanisms Use a set of characteristics to classify a host Can a “Risk-Assessment” based approach help → to deduce a domain’s trustworthiness? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 3
Motivation Safe Domain name system Network configuration Domain registration information Geographic location AS information Unsafe e t n t - a k e c s m i i d R f s i i t l r a s e e v C s s s i A Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 4
Goals Goals Scanner framework Data collection Unveil distinctive characteristics for known sets of domains � Temporal � Current snapshot Scanners Autonomous Systems Geographic location Whois registration information Network configuration Domain name system Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 5
Approach Use distinctive sets of domains idealo.de crape.fi utp7.com urinoor.com tumblr.com dhl.de scentsy.com 96897.com wenmo.in mail.ru zeit.de critictoo.com finitysoft.com allspade.ru apple.com kicker.de firepits.com isellcc.net asfirey.net pinterest.com wetteronline.de vbulletin-tr.com m77s.cn directsupershop.com craigslist.org transfermarkt.de pigeon.cn bjahqeb.info drugfreecard.info bbc.co.uk n-tv.de detikmaya.com t5track.com esntionlatino.com ask.com ... ... ... ... ... AlDL DeAlDL RandAlDL RandMDL RecMDL Name Origin Description Amount of domains AlDL Worldwide 1,000 DeAlDL Alexa Top sites German 1,000 RandAlDL Random pick 1,000 RandMDL Random pick 1,000 DNS blackhole project RecMDL Current month 9,000 Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 6
Approach Define time intervals for scan runs � Time between scans does not exceed 10 days � Use all scanners in each scan run � Two scan series Scan 1 Scan 2 Scan 3 Scan 4 Scan 5 Evaluation series Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 7
Approach ASN id host_id nserver X n scanner Create tables a c S ASN log and functions id host_id ttl addr INFO: baz.org INFO: 117.es INFO: sdf9.com INFO: fsdfg.mx GeoIP 2 scanner Creating GeoIP log database schema INFO: foobar.ru INFO: 0317.dk INFO: 0s9.co.kr INFO: se57.pt S t Read a 4 Global r t configuration NMAP Domain s configuration Scanner c a scanner handler Individual domain parameters n n 1 e NMAP log and ip address feed r s INFO: 0007.ru INFO: 0317.com INFO: 0439.com INFO: 0457.com 3 Whois scanner WHOIS log INFO: bgsa.de INFO: 0651.net INFO: 0129.sk INFO: 0413.hk DNS scanner DNS log INFO: fttw4.to INFO: 7621.hu INFO: df439.ch INFO: esd3.nl Launch process Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 8
Evaluation - Autonomous Systems Which set of domains shows frequent alterations in the ASN configuration? Percentage of domains where an ASN change occured 12 10 8 6 4 2 0 A D R R R l D e a a e A n n c L l d d M D A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 9
Evaluation - Geographic location Which domain lists can be affiliated with a set of countries? Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 10
Evaluation - Geographic location In which domain lists do relocations occur more often? 9 8 Percentage of hosts where country changes occured 7 6 5 4 3 2 1 0 A D R R R l D e a a e A n n c L d d M D l A M D L l D D L L L Domain list name scan 1->2 scan 2->3 scan 3->4 scan 4->5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 11
Evaluation - Whois registration information Which set of domains is registered for a shorter time? Domain list Average Q 0 . 5 AlDL 181.75 182.63 RandAlDL 84.50 73.03 RandMDL 41.25 24.37 RecMDL 44.00 24.37 (in months) Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 12
Evaluation - Network configuration Which set of domains has on average more open ports? 3 2.5 2 Open ports on a domain 1.5 1 0.5 0 A D R R R l e a a e D A n n c L l d d M D A M D L l D D L L L Quantiles Q-0.3 Q-0.5 Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 13
Evaluation - Domain name system Which group of domains changes their TTL configuration frequently? 2 1.9 1.8 Ratio (TTL changes / domain) 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1 A CNAME MX NS SOA TXT Resource records AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 14
Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? Append anti-spoofing entry to TXT resource records Spam prevention with SPF (Sender Policy Framework) v=spf1 +all v=spf1 mx ip4:77.232.64.0/19 +all Google Apps to create SPF entries google-site-verification=mWlqvcJ4Jx0oKel6... Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 15
Evaluation - Domain name system Is the use of Google’s SPF an indication for a group of domains? 18 16 Percentage of domains using Google for SPF 14 12 10 8 6 4 scan1 scan2 scan3 scan4 scan5 AlDL DeAlDL RandAlDL RandMDL RecMDL Safe Unsafe Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 16
Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 17
Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 18
Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 19
Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 20
Dead ends (?) Multiple AS Not distinctive ASN Popular AS Not distinctive GeoIP Undetermined locations Insignificant Changes to update field Not distinctive Whois Changes to name servers Fluctuating behaviour OS similarities Imprecise data Nmap Frequent state changes Insignificant Low TTLs Not distinctive DNS Subset of RRs Not distinctive Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 21
Results from related work ASN Very little clusters of AS for malicious domains exist (Kalafut et al.) Majority of AS are each linked to less than one percent of the domains DNS Passive DNS analysis reveals low TTL values for malicious domains (Bilge et al.) Other characteristics are consistent with this work Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 22
Conclusion Results ASN alterations Domain registration time DNS record configuration Summary Good indicators are few No single characteristic is sufficient Future work Evaluation over a longer period of time Correlate the characteristics Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 23
Thank you for your attention. Are there any questions? Robert Kulzer (TU M¨ unchen) Host profiling based on remote measurements 24
Recommend
More recommend