passive dns replication
play

Passive DNS Replication Florian Weimer 17 th Annual FIRST - PDF document

Jan 08, 2023 •36 likes •166 views

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and

  1. Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 2 / 25

  2. A very brief introduction to DNS Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 3 / 25 A very brief introduction to DNS DNS as a huge table www.enyo.de IN A 212.9.189.164 static.enyo.de IN A 212.9.189.164 mail.enyo.de IN A 212.9.189.167 enyo.de IN MX 10 mail.enyo.de . . . www.first.org IN A 163.1.2.77 www.first.org IN A 192.25.206.20 www.first.org IN A 210.148.223.8 . . . 164.189.9.212.in-addr.arpa IN PTR www.enyo.de Florian Weimer Passive DNS Replication FIRST 2005 4 / 25

  3. A very brief introduction to DNS DNS summary ◮ You can query only by the primary key, the domain/class/type triple. ◮ Queries on secondary keys can be emulated if the key is encoded in a domain name (as in 164.189.9.212.in-addr.arpa ). ◮ There are no consistency guarantees. ◮ Reverse lookups (based on PTR records) are optional and not reliable: Both www and static point to 212.9.189.164 , but there is only one PTR record. Florian Weimer Passive DNS Replication FIRST 2005 5 / 25 Case Study: Botnet mitigation Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 6 / 25

  4. Case Study: Botnet mitigation An IDS alert ◮ The intrusion detection system detects a botnet command: T 2005/04/21 18:06:33.188392 192.0.2.166:6667 -> 212.9.189.171:1037 :abc!DeFgH@SOME.TLA.GOV TOPIC #l33t :.advscan dcom135 100 5 0 -r.. ◮ 212.9.189.171 is a compromised host on our network. ◮ 192.0.2.166 is the botnet controller. ◮ The captured command instructs 212.9.189.171 to scan for further victims. Florian Weimer Passive DNS Replication FIRST 2005 7 / 25 Case Study: Botnet mitigation Response to the report ◮ Filter 212.9.189.171 , the victim host. ◮ Filter 192.0.2.166 , the botnet controller. ◮ Contact the owner of the 212.9.189.171 machine and force him to clean it. ◮ . . . and hope for the best. ◮ The victims continue to scan the internal network, discovering new victims. ◮ Filtering the botnet controller prevents them from joining the botnet. (???) Florian Weimer Passive DNS Replication FIRST 2005 8 / 25

  5. Case Study: Botnet mitigation Contacting the botnet controller ◮ The bot may contain one or more domain names instead of hard-coded IP addresses. ◮ Each domain can resolve to multiple IP addresses. ◮ Blocking a single IP address often does not prevent hosts from joining the botnet. ◮ If you know the domain name, better filters are possible. ◮ You can adjust the filters when the domain name changes. ◮ You can filter the domain name on your resolvers (in theory). Florian Weimer Passive DNS Replication FIRST 2005 9 / 25 Case Study: Botnet mitigation How to recover domain names from IP addresses ◮ Reverse engineer the bot. ◮ Disassembling needs time and expertise. ◮ And a copy of the malware. ◮ The security team often cannot access the caching resolvers which store a copy of the DNS record. ◮ Zone file transfers do not work, the traditional DNS replication mechanism, do not work. Florian Weimer Passive DNS Replication FIRST 2005 10 / 25

  6. Case Study: Botnet mitigation From domain names to IP addresses ◮ Capture DNS packets and look for the IP address you are interested in. ◮ DNS caches may delay the reappearance of resource records for hours. ◮ Idea: Capture DNS records in advance and store them in a database for later reference. ◮ This leads to “passive DNS replication”. Florian Weimer Passive DNS Replication FIRST 2005 11 / 25 Architecture and implementation Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 12 / 25

  7. Architecture and implementation dnslogger architecture Sensor Sensor dnslogger host Analyzer Collector WHOIS client Database WHOIS server WHOIS client Florian Weimer Passive DNS Replication FIRST 2005 13 / 25 Architecture and implementation Sensor placement www.enyo.de Client DNS Resolver Name Server Sensor ISP 1 ISP 2 Florian Weimer Passive DNS Replication FIRST 2005 14 / 25

  8. Architecture and implementation Challenges ◮ Privacy concerns ◮ Security concerns ◮ Truncated and EDNS0 responses ◮ What about bogus DNS data captured by the sensors? ◮ The data rate itself is fairly low on medium-sized campus networks. ◮ But keeping lots of historic data is problematic. Florian Weimer Passive DNS Replication FIRST 2005 15 / 25 Architecture and implementation dnslogger implementation ◮ Two sensor implementations: ◮ Perl: simple and obviously correct ◮ C: higher performance, fewer dependencies ◮ The remaining parts of the dnslogger software are written in Ada. ◮ Berkeley DB from Sleepycat is used as the underlying database technology. ◮ The schema design is highly denormalized and clustered on reversed domain names. ◮ All database updates are idempotent and commute, which makes replication particularly easy. Florian Weimer Passive DNS Replication FIRST 2005 16 / 25

  9. Results Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and implementation Results Florian Weimer Passive DNS Replication FIRST 2005 17 / 25 Results Examples ◮ Identify botnet controllers ◮ Track DNS-driven botnets (Blaster) ◮ Correlate domains ◮ Dating DNS anomalies (new or just newly discovered?) Florian Weimer Passive DNS Replication FIRST 2005 18 / 25

  10. Results Example: The kimble.org fiasco First seen Domain Type Data 2004-06-23 13:58:51 kimble.org A 127.0.0.1 2004-08-07 16:14:00 kimble.org A 207.234.155.17 2004-10-20 07:15:58 kimble.org A 212.100.234.54 2004-10-20 16:12:56 kimble.org A 64.203.97.121 2004-10-21 17:15:01 kimble.org A 212.113.74.58 2004-10-21 17:45:01 kimble.org A 195.130.152.100 2004-10-31 14:45:01 kimble.org A 195.225.218.59 2004-11-02 23:15:01 kimble.org A 206.132.83.2 2004-11-04 18:15:01 kimble.org A 213.139.139.206 2004-11-21 03:15:02 kimble.org A 216.7.173.212 2004-11-25 22:45:02 kimble.org A 38.112.165.60 Florian Weimer Passive DNS Replication FIRST 2005 19 / 25 Results Example: Hijacking of ebay.de First seen Domain Type Data 2004-06-23 08:21:57 ebay.de NS crocodile.ebay.com 2004-06-23 08:21:57 ebay.de NS sjc-dns1.ebaydns.com 2004-06-23 08:21:57 ebay.de NS sjc-dns2.ebaydns.com 2004-08-28 05:34:01 ebay.de NS ns1.goracer.de 2004-08-28 05:34:01 ebay.de NS ns2.goracer.de Florian Weimer Passive DNS Replication FIRST 2005 20 / 25

  11. Results Example: Network Solution’s “Site Finder Light” First seen Domain Type Data 2004-09-19 05:01:53 misslink.net CNAME † 2004-09-19 05:57:49 ns.bighornent.com CNAME † 2004-09-19 06:13:44 ns13.magnum-inap4.net CNAME † 2004-09-19 06:24:28 host2.7thgate.com CNAME † 2004-09-19 07:25:26 † www.zydigo.com CNAME 2004-09-19 08:08:33 muslimsonline.com CNAME † 2004-09-19 08:28:26 † www.animatiehuis.com CNAME 2004-09-19 08:57:19 www.urbanvoicesonline.com CNAME † . . . † = resalehost.networksolutions.com Florian Weimer Passive DNS Replication FIRST 2005 21 / 25 Results Example: Correlating domains ◮ An email messages references dkchaotichigh.com (“MegaPowerPills.com”). ◮ An ordinary DNS lookup reveals that ns1.m-dns.us is used as a name server. ◮ Additional domains are hosted on this name server: Domain Type Data outfacegood.com NS ns1.m-dns.us outregood.com NS ns1.m-dns.us megalithgood.com NS ns1.m-dns.us medverdigrisgood.com NS ns1.m-dns.us . . . Florian Weimer Passive DNS Replication FIRST 2005 22 / 25

  12. Results Example: Unauthorized name servers for .com First seen Domain Type Data 2004-06-24 00:52:37 com NS ns1.hi2000.net 2004-06-24 23:04:11 com NS ns1.vertical-inc.net 2004-06-30 23:26:21 com NS tempsvr.wam.wamusa.com 2004-07-01 04:32:18 com NS ns7.domainredirect.com 2004-07-05 04:18:36 com NS ns1.infoglobe.net 2004-07-05 07:35:14 com NS ns1.cntrading.com 2004-07-05 16:40:27 com NS ns1.spacesurfer.com 2004-07-08 00:34:29 com NS ns.tradenames.com . . . Florian Weimer Passive DNS Replication FIRST 2005 23 / 25 Results Observations ◮ DNS usage is very localized and specific to the network in which the sensor is placed. ◮ For many applications, you have to run your own sensor, instead of using data collected on other networks. ◮ But sharing the data with others does not hurt. Florian Weimer Passive DNS Replication FIRST 2005 24 / 25

  13. Summary Summary ◮ Passive DNS replication provides new ways to access and process DNS data. ◮ This data can support various security-related processes. ◮ It also provides new insights into the operation of the domain name system. ◮ Questions? Florian Weimer Passive DNS Replication FIRST 2005 25 / 25

Recommend

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC

Open Source Passive DNS Replication Robert Edmonds ( edmonds@isc.org ) October 14, 2012 ISC Passive DNS and ISC DNSDB Sensor collects DNS response packets Packets parsed into DNS records Verification De-duplication Filtering

161 views • 13 slides
Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter

Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter

Securing Passive Replication Through Verification Bruno Vavala 1,2 , Nuno Neves 1 , Peter Steenkiste 2 1 University of Lisbon (Portugal) 2 Carnegie Mellon University (U.S.) IEEE Symposium on Reliable and Distributed Systems, 2015 Outline

807 views • 42 slides
Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain

Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain

Passive DNS Replication Florian Weimer <fw@deneb.enyo.de> April 2005 Overview The domain name system (abbreviated DNS) provides a distributed database that maps do- main names to record sets (for example, IP addresses). DNS is one of

494 views • 13 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Distributed Systems Lecture 5 1 Replication 15.1 Group Communications 15.2 Fault Services 15.3 Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of read-only data is simple, but replication

726 views • 14 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

247 views • 24 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

688 views • 48 slides
Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5 3 G ACGAT 3 5 3 5 C A A G G T C A C A Issues & Complications, I 1st ~10 nts added are called the primer

420 views • 11 slides
New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

<Insert Picture Here> New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup Mats Kindahl, Lead Developer, Replication & Plugins MySQL User Conference 2010 Topics Replication features in

461 views • 34 slides
Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other DBMS as well Seppo Jaakola Alexey Yurchenko Contents 1.Galera Cluster 2.Replication API 3.Benchmarking 4.Installation & Management

1.04k views • 59 slides
MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars Thalmann Development Manager Replication/Backup Tutorial Outline Terminology and Basic Concepts Basic Replication Replication for

1.46k views • 125 slides
August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

State of Connecticut Criminal Justice Information System Connecticut Information Sharing System (CISS) Technology Workshop 1: Data Replication/ETL August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

535 views • 24 slides
Reasons for Replication Two primary reasons for replication: reliability and performance .

Reasons for Replication Two primary reasons for replication: reliability and performance .

An Introduction to the high- availability and high-consistency problem Ignacio Laguna, Fahad Arshad Dependable Computing Systems Laboratory Purdue University Aug 29, 2007 Reasons for Replication Two primary reasons for replication:

257 views • 8 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no denial of service during transient network partitions - supports massive

319 views • 8 slides
Replication and Migration Background, Requirements and Strawman Migration and Replication

Replication and Migration Background, Requirements and Strawman Migration and Replication

Replication and Migration Background, Requirements and Strawman Migration and Replication The point is: Increased availability Through replication of shared read-only data Less NFS Server not responding The point is:

265 views • 25 slides
Consistency and Replication Chi Zhang czhang@cs.fiu.edu Object Replication (1) Organization of

Consistency and Replication Chi Zhang czhang@cs.fiu.edu Object Replication (1) Organization of

COP 6611 Advanced Operating System Consistency and Replication Chi Zhang czhang@cs.fiu.edu Object Replication (1) Organization of a distributed remote object shared by two different clients. 2 1 Object Replication (2) a) A remote object

456 views • 21 slides
Practical Replication The Dangers of Replication and a Solution (SIGMOD96) The Costs and

Practical Replication The Dangers of Replication and a Solution (SIGMOD96) The Costs and

Practical Replication The Dangers of Replication and a Solution (SIGMOD96) The Costs and Limits of Availability for Replicated Services (SOSP01) Presented by: K. Vikram, Cornell University Why Replicate? Availability Can access

718 views • 43 slides
DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To

DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To

Prof Philippas Tsigas Distributed Computing and Systems Research Group DISTRIBUTED SYSTEMS II REPLICATION CNT. II The Quorum consensus method for Replication To prevent transactions in different partitions from producing inconsistent

354 views • 23 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Reasoning About Replication: State Machine Approach & Chain Replication Partial slides

Reasoning About Replication: State Machine Approach & Chain Replication Partial slides

Reasoning About Replication: State Machine Approach & Chain Replication Partial slides borrowed from Drew Zagieboylo and Chinasa T. Okolo Presented by Yunhe Liu @ CS6410 10/24 Failure case: Service Unavailable Picture source:

807 views • 56 slides
GDR ADN, 2-4 mai 2012 Replication in eukaryotic genomes Specific features of eukaryotic

GDR ADN, 2-4 mai 2012 Replication in eukaryotic genomes Specific features of eukaryotic

GDR ADN, 2-4 mai 2012 Replication in eukaryotic genomes Specific features of eukaryotic replication: - multiple replication origins - large variability in the timing of activation and in the efficiency of a given origin O1 O2 3 5 3

130 views • 11 slides

More recommend