A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION

Size: px
Start display at page:

Download "A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION"

Transcription

1 Chapter 6 A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION 6.1 Introduction Motivation Content Distribution Networks (CDNs) and Round-Robin DNS (RRDNS) are the two standard methods used for resource sharing [68]. RRDNS is a technique for load balancing, where IP changes happen in a round robin fashion. Content Delivery Networks (CDNs) are collections of servers that are located in dierent data centers around the world, in order to decrease the resource access time for users. These techniques are employed by legal commercial organizations for the benet of end users. Unfortunately, Fast Flux networks are developed using the same techniques as CDN`s and RRDNS. Fast uxing takes the advantage of DNS based load balancing by masking its own activities as if it is a CDN. Fast uxing uses many IP addresses that are hidden behind a single domain name just as large CDNs and Antivirus providers do. The IP addresses of domains involved in Fast Fluxing changes with extreme frequency in round-robin 85

2 Figure 6.1: Work ow of a fast-ux service fashion with very short Time-To-Live (TTL) for each DNS Resource Record (RR). Figure 6.1 shows the pictorial representation of a fast-ux service network. Fast ux domain names map to a new set of IP addresses, which are assigned to infected machines (botnet). While trying to access the domain name, the botnet automatically connects to any one of the infected computers within a short interval of time. Botnets use the fast uxing mechanism in order to conceal their Command and Control (C&C) servers. This technique prevents the identication of C&C servers by changing IP addresses frequently, so that it cannot be detected. Single uxing is a process when the IP addresses of malicious domains are altered within a short period of time. Double uxing is a process when the name servers (NS) of the domains are uxed along with the IPs. Fast ux botnets have been and are responsible for a plethora of activities like: money mule recruitment sites, phishing sites, illegal online pharmacies, illegal adult content sites, malicious browser exploit 86

3 Domain name getghosted.com welish.com Table 6.1: Fast-ux domains and their associated IP address IP List First set of IPs Second set IPs Third set of IPs sites and web trap (distributing malware) [69]. To classify domains containing fast uxing properties, supervised machine learning classiers are used. Table 6.1 shows some of the fast ux domains and their associated IP addresses in a particular interval of time. These active domain names have been selected from ATLAS [70] global fast ux database Contributions In this research, the following conributions are made: Developed a system, capable of detecting single and double ux with high accuracy 98.2% and very low fasle positive in real-time. Provided two services; one for detection and the other for monitoring the detected FFSNs and employed One-Class SVM (OCSVM) with linear programming approach to classify the data after training the system with eight relevant features of fast ux domains. The framework was deployed at an Internet service provider location for more 87

4 than a year. The framework was able to identify several Fast Flux IPs which neither blacklisted nor had any history. 6.2 System Developed The system was developed and deployed with an aim to detect fast-ux domains automatically in real-time. After detecting the fast-ux domain, the system monitors its activities in an interval of ve seconds on a regular basis. Figure 6.2 presents the architectural diagram of the implemented system which consists of three modules 1) Data Collection 2) Feature selection 3) Classication 4) Continuous monitoring Data Collection Passive Sensor collects DNS Query/Response from the DNS Servers. It captures network trac from DNS Servers and passes it to an application. One Sensor can handle data from multiple DNS Servers. It collects data passively from DNS Servers. Collected DNS logs contain the details of user queries. Parsing unit parses the logs and extract domain names exclusively which have more than one IP addresses. The domain names and IP addresses are then fed into the feature selection module to extract relevant features Feature Selection Features play the most important role in classication. Quality of features determines the accuracy of classication. At most care must be given to feature extraction. Eight features such as Domain age, TTL, Number of IP addresses of a distinct DNS A record, 88

5 Figure 6.2: Architecture Diagram Autonomous System Distribution, National Distribution, and Organizational distribution were extracted for modelling. TTL: TTL (Time-To-Live) determines the life span of a record in a network. A record will be deleted from DNS Server Cache when the specied TTL expires [71] so that new IP address will be given to the bots. Fast ux domains maintain 89

6 shorter TTL for each record. Number of IP addresses of a distinct DNS Query: A record stands for Address record and an A record lookup resolves a hostname to an IP address [72]. In fast ux the TTL for each record is very less and hence each time TTL expires, a new set of IP addresses will be resolved. Thus the total number of accumulated IP address will be very large. Network Diversity: Diversity of network is another characteristic of fast ux. IPs of fast ux domains will be in located in dierent networks. Autonomous System Distribution: In order to reduce the chance of detection, fast uxing will have IP addresses from dierent Autonomous Systems [15]. Hence distinct Autonomous Systems will be high for a single domain. Geographical Distribution: A considerable amount of fast ux domains have IP's distributed among multiple countries. Double Fluxing Characterization: Second layer of complexity comes when a domain name shows the frequent changes in its Name Server. Organization: The IP addresses of a domain are owned by multiple organizations, this is a dening characteristic of fast ux domains. 90

7 6.3 Continous Monitoring The detected domain names are then fed into the continuous monitoring system. Here, the system continuously monitors the targeted domains with time duration of ve seconds. This system will actively query to check for any change in IP of the detected fast ux domain. The Fast ux domains having some DGA textual properties will also be checked. One of the salient textual features is having more randomness than a legitimate domain name. Randomness can be the inclusion of digits, absence of dictionary word, unusual word length etc. This checking is nontrivial because, sometime the suspected domain may be a good domain name with more fast-ux characteristics. So to remove these kinds of false positive results, the system will again give these domain names back to feature collection module with the newly available IPs for further classication. So this part of the system does an important role to remove literally the whole false positive and false negatives. The use of powerful Machine Learning algorithm as well as the Reputation checker system gives better prediction accuracy for every domain. From the analysis, a new category of fastux domains was observed; these domains will have only one IP address, which will be uxing continuously. These kinds of domains will be discarded from the rst analysis, so all suspected domains will be monitored separately to detect the uxy characteristics. Also these domains will be having high TTL value. Based on these characteristics, the suspected domains are observed. Also a white list is kept to remove good domains. 91

8 6.4 Experimental Results The developed system detects the fast ux domains in real-time. The system was trained based on the fast ux features. Since the output of the classier depends on the training data, the collected training set includes all the combination of features that is discussed earlier. For testing the system, the active fast ux domains from ATLAS global fast-ux database was chosen and collected data from in-house network manually and for normal domains data were collected from Alexa [63]. The system queried domain names from real-time DNS logs and active fast ux domains listed in ATLAS and Alexa database. In order to lter out the domain names that are part of CDNs [73], a reverse lookup of the domain was performed. If the reverse lookup of A-records of a domain doesn't show any similarity in its answer section, it is most likely to be a fast-ux domain. Hence it helps us to increase the accuracy of the analysis from 98.2% to almost 100%. Figures 6.3 (a) and 6.3 (b) show the number of unique IP addresses of fastux and non-fastux domains. From the gure it can be seen that fastux domains are having more IP addresses than normal domains. In Figures 6.4 (a) and 6.4 (b), number of unique name servers for both categories can be observed. Figures 6.5 (a) and 6.5 (b) show number of unique number of networks. 92

9 (a) (b) Figure 6.3: (a) IP Addresses of fast-ux domains, (b) IP Addresses of legitimate domains (a) (b) Figure 6.4: (a) Name servers of fast-ux Domains, (b) Name servers of normal domains 93

10 (a) (b) Figure 6.5: (a) Networks of fast-ux domains, (b) Networks of normal domains 6.5 Conclusion A system was developed to detect single uxing as well as double uxing propagating in a monitored network in real-time. In order to do so, one-class SVM and a continuous monitoring system were applied to track the activities of detected domains in real-time. This system detects very active domains which were approved by ATLAS global fast- ux domains with an accuracy of 98.2%. The developed system is capable of eciently ltering out the CDNs, Antivirus software etc. which cause false positives in detection of fast uxing domains. 94

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure Chun-Ying Huang chuang@ntou.edu.tw Assistant Professor Department of Computer Science and Engineering National

More information

Tracking Evil with Passive DNS

Tracking Evil with Passive DNS Tracking Evil with Passive DNS Bojan Ždrnja, CISSP, GCIA, GCIH Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant with INFIGO IS (Croatia) Mainly doing

More information

Naming in Distributed Systems

Naming in Distributed Systems Naming in Distributed Systems Dr. Yong Guan Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University Outline for Today s Talk Overview: Names, Identifiers,

More information

TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection

TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection I. J. Computer Network and Information Security, 2016, 10, 37-44 Published Online October 2016 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2016.10.05 TempR: Application of Stricture Dependent

More information

Managing Caching DNS Server

Managing Caching DNS Server This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring

More information

Discovering new malicious domains using DNS and big data Case study: Fast Flux domains. Dhia Mahjoub OpenDNS May 25 th, 2013

Discovering new malicious domains using DNS and big data Case study: Fast Flux domains. Dhia Mahjoub OpenDNS May 25 th, 2013 Discovering new malicious domains using DNS and big data Case study: Fast Flux domains Dhia Mahjoub OpenDNS May 25 th, 2013 Background A@ackers seek to keep their operabons online at all Bmes The Network

More information

Chapter 2 Malicious Networks for DDoS Attacks

Chapter 2 Malicious Networks for DDoS Attacks Chapter 2 Malicious Networks for DDoS Attacks Abstract In this chapter, we explore botnet, the engine of DDoS attacks, in cyberspace. We focus on two recent techniques that hackers are using to sustain

More information

DNSSM: A Large Scale Passive DNS Security Monitoring Framework

DNSSM: A Large Scale Passive DNS Security Monitoring Framework samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, Jérôme François, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor

More information

Real-Time Detection of Fast Flux Service Networks

Real-Time Detection of Fast Flux Service Networks Cybersecurity Applications & Technology Conference For Homeland Security Real-Time Detection of Fast Flux Service Networks Alper Caglayan, Mike Toothaker, Dan Drapeau, Dustin Burke and Gerry Eaton Milcord

More information

Botnet Communication Topologies

Botnet Communication Topologies Understanding the intricacies of botnet Command-and-Control By Gunter Ollmann, VP of Research, Damballa, Inc. Introduction A clear distinction between a bot agent and a common piece of malware lies within

More information

The evolution of malevolence

The evolution of malevolence Detection of spam hosts and spam bots using network traffic modeling Anestis Karasaridis Willa K. Ehrlich, Danielle Liu, David Hoeflin 4/27/2010. All rights reserved. AT&T and the AT&T logo are trademarks

More information

Intelligent and Secure Network

Intelligent and Secure Network Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence

More information

GNSO Issues Report on Fast Flux Hosting

GNSO Issues Report on Fast Flux Hosting GNSO STATUS OF THIS DOCUMENT This is the requested by the GNSO Council. SUMMARY This report is submitted to the GNSO Council in response to a request received from the Council pursuant to a Motion proposed

More information

The Interactive Guide to Protecting Your Election Website

The Interactive Guide to Protecting Your Election Website The Interactive Guide to Protecting Your Election Website 1 INTRODUCTION Cloudflare is on a mission to help build a better Internet. Cloudflare is one of the world s largest networks. Today, businesses,

More information

Table of Contents 1 DNS Configuration 1-1

Table of Contents 1 DNS Configuration 1-1 Table of Contents 1 DNS Configuration 1-1 DNS Overview 1-1 Static Domain Name Resolution 1-1 Dynamic Domain Name Resolution 1-1 Configuring Domain Name Resolution 1-3 Configuring Static Domain Name Resolution

More information

Documentation for: MTA developers

Documentation for: MTA developers This document contains implementation guidelines for developers of MTA products/appliances willing to use Spamhaus products to block as much spam as possible. No reference is made to specific products.

More information

Mailspike. Henrique Aparício

Mailspike. Henrique Aparício Mailspike Henrique Aparício 1 Introduction For many years now, email has become a tool of great importance as a means of communication. Its growing use led inevitably to its exploitation by entities that

More information

Detecting Specific Threats

Detecting Specific Threats The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan

More information

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012 Lesson 9: Configuring DNS Records MOAC 70-411: Administering Windows Server 2012 Overview Exam Objective 3.2: Configure DNS Records Configuring DNS Record Types Using the DNSCMD Command to Manage Resource

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver Project o ATLAS - global Internet monitoring o Fast flux - used to discover bots/infected

More information

Insight Frequently Asked Questions version 2.0 (8/24/2011)

Insight Frequently Asked Questions version 2.0 (8/24/2011) Insight Frequently Asked Questions version 2.0 (8/24/2011) Insight Overview 1. What is a reputation system and how does it work? Insight, our reputation system, leverages anonymous telemetry data from

More information

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices.

DNS Policies. DNS Policy Overview. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices. The following topics explain DNS policies, DNS rules, and how to deploy DNS policies to managed devices. DNS Policy Overview, page 1 DNS Policy Components, page 2 DNS Rules, page 6 DNS Policy Deploy, page

More information

Connection Broker Advanced Connections Management for Multi-Cloud Environments. DNS Setup Guide

Connection Broker Advanced Connections Management for Multi-Cloud Environments. DNS Setup Guide Connection Broker Advanced Connections Management for Multi-Cloud Environments DNS Setup Guide Versions 8.2 December 2017 Contacting Leostream Leostream Corporation 271 Waverley Oaks Rd Suite 206 Waltham,

More information

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculteit Wiskunde en Informatica

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculteit Wiskunde en Informatica TECHNISCHE UNIVERSITEIT EINDHOVEN Faculteit Wiskunde en Informatica Examination Architecture of Distributed Systems (2IMN10 / 2II45), on Monday November 2, 2015, from 13.30 to 16.30 hours. Indicate on

More information

BIG-IP Application Security Manager : Implementations. Version 13.0

BIG-IP Application Security Manager : Implementations. Version 13.0 BIG-IP Application Security Manager : Implementations Version 13.0 Table of Contents Table of Contents Preventing DoS Attacks on Applications... 13 What is a DoS attack?...13 About recognizing DoS attacks...

More information

Detection of DNS Traffic Anomalies in Large Networks

Detection of DNS Traffic Anomalies in Large Networks Detection of Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak celeda vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014,

More information

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009 Fast Flux Hosting Final Report GNSO Council Meeting 13 August 2009 1 January 2008: SAC 025 Fast Flux Hosting and DNS Characterizes Fast Flux (FF) as an evasion technique that enables cybercriminals to

More information

P2P Botnet Detection through Malicious Fast Flux Network Identification

P2P Botnet Detection through Malicious Fast Flux Network Identification P2P Botnet Detection through Malicious Fast Flux Network Identification David Zhao Department of Electrical and Computer Engineering University of Victoria Victoria, BC, Canada davidzhao@ieee.org Issa

More information

Botnets: major players in the shadows. Author Sébastien GOUTAL Chief Science Officer

Botnets: major players in the shadows. Author Sébastien GOUTAL Chief Science Officer Botnets: major players in the shadows Author Sébastien GOUTAL Chief Science Officer Table of contents Introduction... 3 Birth of a botnet... 4 Life of a botnet... 5 Death of a botnet... 8 Introduction

More information

Detecting Malicious Web Links and Identifying Their Attack Types

Detecting Malicious Web Links and Identifying Their Attack Types Detecting Malicious Web Links and Identifying Their Attack Types Anti-Spam Team Cellopoint July 3, 2013 Introduction References A great effort has been directed towards detection of malicious URLs Blacklisting

More information

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert suman@bdcert.org Amber IT Limited suman@amberit.com.bd DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control

More information

Detecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp , 2015.

Detecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp , 2015. Detecting Malicious Activity with DNS Backscatter Kensuke Fukuda John Heidemann Proc. of ACM IMC '15, pp. 197-210, 2015. Presented by Xintong Wang and Han Zhang Challenges in Network Monitoring Need a

More information

DNS Setup Guide. Connection Broker. Advanced Connection Management For Multi-Cloud Environments

DNS Setup Guide. Connection Broker. Advanced Connection Management For Multi-Cloud Environments DNS Setup Guide Connection Broker Advanced Connection Management For Multi-Cloud Environments Version 9.0 June 2018 Contacting Leostream Leostream Corporation 271 Waverley Oaks Rd Suite 206 Waltham, MA

More information

UTM 5000 WannaCry Technote

UTM 5000 WannaCry Technote UTM 5000 WannaCry Technote The news is full of reports of the massive ransomware infection caused by WannaCry. Although these security threats are pervasive, and ransomware has been around for a decade,

More information

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Detect Cyber Threats with Securonix Proxy Traffic Analyzer Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100

More information

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci a,b, Igino Corona c, David Dagon a, and Wenke Lee a a College of Computing, Georgia Institute

More information

What is the role of teletraffic engineering in broadband networks? *

What is the role of teletraffic engineering in broadband networks? * OpenStax-CNX module: m13376 1 What is the role of teletraffic engineering in broadband networks? * Jones Kalunga This work is produced by OpenStax-CNX and licensed under the Creative Commons Attribution

More information

Kaspersky Security Network

Kaspersky Security Network The Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to intelligently processing cybersecurity-related data streams from millions of voluntary participants around the

More information

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File

More information

In the Domain Name System s language, rcode 0 stands for: no error condition.

In the Domain Name System s language, rcode 0 stands for: no error condition. 12/2017 SIMPLE, FAST, RESILIENT In the Domain Name System s language, rcode 0 stands for: no error condition. If a DNS server answers a query with this result code, the service is running properly. This

More information

What is the relationship between a domain name (e.g., youtube.com) and an IP address?

What is the relationship between a domain name (e.g., youtube.com) and an IP address? DNS, CDNs March 30, 2009 Lecture 14 Sam Madden DNS What is the relationship between a domain name (e.g., youtube.com) and an IP address? DNS is the system that determines this mapping. Basic idea: You

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content

More information

SamKnows test methodology

SamKnows test methodology SamKnows test methodology Download and Upload (TCP) Measures the download and upload speed of the broadband connection in bits per second. The transfer is conducted over one or more concurrent HTTP connections

More information

How does the Excalibur Technology SPAM & Virus Protection System work?

How does the Excalibur Technology SPAM & Virus Protection System work? How does the Excalibur Technology SPAM & Virus Protection System work? All e-mail messages sent to your e-mail address are analyzed by the Excalibur Technology SPAM & Virus Protection System before being

More information

How to Configure DNS Sinkholing in the Firewall

How to Configure DNS Sinkholing in the Firewall UDP DNS traffic handled by the Firewall service is monitored and, if a domain is found that is considered to be malicious, the A and AAAA DNS response is replaced by fake IP addresses. An access rule blocks

More information

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE Enterprise Overview Benefits and features of s Enterprise plan 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com This paper summarizes the benefits and features of s Enterprise plan. State of

More information

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges

More information

Port Mirroring in CounterACT. CounterACT Technical Note

Port Mirroring in CounterACT. CounterACT Technical Note Table of Contents About Port Mirroring and the Packet Engine... 3 Information Based on Specific Protocols... 4 ARP... 4 DHCP... 5 HTTP... 6 NetBIOS... 7 TCP/UDP... 7 Endpoint Lifecycle... 8 Active Endpoint

More information

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 Agenda 1 2 3 Introduction to DNS DNS Features

More information

Passive DNS Replication

Passive DNS Replication Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 24 Outline A very brief introduction to DNS Case Study: Botnet

More information

A brief Incursion into Botnet Detection

A brief Incursion into Botnet Detection A brief Incursion into Anant Narayanan Advanced Topics in Computer and Network Security October 5, 2009 What We re Going To Cover 1 2 3 Counter-intelligence 4 What Are s? Networks of zombie computers The

More information

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2 ForeScout CounterACT Core Extensions Module: DNS Query Extension Plugin Version 1.2 Table of Contents About the DNS Query Extension... 3 Configure the Extension... 3 Verify That the Plugin Is Running...

More information

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness ISSN 1330-3651 (Print), ISSN 1848-6339 (Online) https://doi.org/10.17559/tv-20161012115204 Original scientific paper Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

More information

IBM SECURITY NETWORK PROTECTION (XGS)

IBM SECURITY NETWORK PROTECTION (XGS) IBM SECURITY NETWORK PROTECTION (XGS) IP Reputation Use cases and more Tanmay Shah Product Lead IBM Security Network Protection Tanmay.Shah@au1.ibm.com Contents Introduction... 2 Audience... 2 IP Reputation

More information

Interme diate DNS. Local browse r. Authorit ative ... DNS

Interme diate DNS. Local browse r. Authorit ative ... DNS WPI-CS-TR-00-12 July 2000 The Contribution of DNS Lookup Costs to Web Object Retrieval by Craig E. Wills Hao Shang Computer Science Technical Report Series WORCESTER POLYTECHNIC INSTITUTE Computer Science

More information

Franzes Francisco Manila IBM Domino Server Crash and Messaging

Franzes Francisco Manila IBM Domino Server Crash and Messaging Franzes Francisco Manila IBM Domino Server Crash and Messaging Topics to be discussed What is SPAM / email Spoofing? How to identify one? Anti-SPAM / Anti-email spoofing basic techniques Domino configurations

More information

Automating Security Response based on Internet Reputation

Automating Security Response based on Internet Reputation Add Your Logo here Do not use master Automating Security Response based on Internet Reputation IP and DNS Reputation for the IPS Platform Anthony Supinski Senior Systems Engineer www.h3cnetworks.com www.3com.com

More information

Send me up to 5 good questions in your opinion, I ll use top ones Via direct message at slack. Can be a group effort. Try to add some explanation.

Send me up to 5 good questions in your opinion, I ll use top ones Via direct message at slack. Can be a group effort. Try to add some explanation. Notes Midterm reminder Second midterm next week (04/03), regular class time 20 points, more questions than midterm 1 non-comprehensive exam: no need to study modules before midterm 1 Online testing like

More information

Detecting DGA Malware Traffic Through Behavioral Models. Erquiaga, María José Catania, Carlos García, Sebastían

Detecting DGA Malware Traffic Through Behavioral Models. Erquiaga, María José Catania, Carlos García, Sebastían Detecting DGA Malware Traffic Through Behavioral Models Erquiaga, María José Catania, Carlos García, Sebastían Outline Introduction Detection Method Training the threshold Dataset description Experiment

More information

Comodo cwatch Web Security Software Version 1.6

Comodo cwatch Web Security Software Version 1.6 rat Comodo cwatch Web Security Software Version 1.6 Quick Start Guide Guide Version 1.6.010918 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Comodo cwatch Web Security - Quick Start Guide

More information

Detecting bots using multilevel traffic analysis

Detecting bots using multilevel traffic analysis Intl. Journal on Cyber Situational Awareness, Vol. 1, No. 1, 2016 Detecting bots using multilevel traffic analysis Matija Stevanovic and Jens Myrup Pedersen Department of Electronic Systems, Aalborg University

More information

Luminous: Bringing Big(ger) Data to the Fight

Luminous: Bringing Big(ger) Data to the Fight Luminous: Bringing Big(ger) Data to the Fight Norm Ritchie Drew Bagley ICANN Helsinki June, 2016 Secure Domain Foundation Non-profit Founded in 2014 Proactive mitigation of malicious domains used for cybercrime

More information

Load Balancing 101: Nuts and Bolts

Load Balancing 101: Nuts and Bolts Load Balancing 101: Nuts and Bolts Load balancing technology is the basis on which today's Application Delivery Controllers operate. But the pervasiveness of load balancing technology does not mean it

More information

Indicators of Compromise

Indicators of Compromise Indicators of Compromise Effectively apply threat information Factsheet FS-2016-02 version 1.0 1 June 2017 If you are responsible for securing the network of your organisation, you will often hear the

More information

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a

More information

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...

More information

Microsoft Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003

Microsoft Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003 Microsoft 70-284 Microsoft 70-284 Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003 Practice Test Version 2.5 QUESTION NO: 1 Microsoft

More information

DNS Security. Ch 1: The Importance of DNS Security. Updated

DNS Security. Ch 1: The Importance of DNS Security. Updated DNS Security Ch 1: The Importance of DNS Security Updated 8-21-17 DNS is Essential Without DNS, no one can use domain names like ccsf.edu Almost every Internet communication begins with a DNS resolution

More information

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output

More information

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage GFI Product Comparison GFI MailEssentials vs PureMessage GFI MailEssentials Integrates with Microsoft Exchange Server 2003/2007/2010/2013 Scans incoming and outgoing emails Scans internal emails within

More information

Network Security Platform 8.1

Network Security Platform 8.1 8.1.7.5-8.1.3.43 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation

More information

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov DDoS on DNS: past, present and inevitable Töma Gavrichenkov DNS DDoS types Volumetric: amplification, other floods Water torture and the likes DNS DDoS problem statement DNS is built on

More information

John Munro / Jason Trost / FlonCon 2013 January 7 10 Albuquerque, New Mexico

John Munro / Jason Trost / FlonCon 2013 January 7 10 Albuquerque, New Mexico John Munro / jmunro@endgame.com Jason Trost / jtrost@endgame.com FlonCon 2013 January 7 10 Albuquerque, New Mexico Introductions John Munro (jmunro@endgame.com) Network Security Researcher and Data Scientist

More information

Bots Combine! : Behind the Modern Botnet. Andrea Sept 1, 2017

Bots Combine! : Behind the Modern Botnet. Andrea Sept 1, 2017 Bots Combine! : Behind the Modern Botnet Andrea Scarfo @AScarf0 Sept 1, 2017 Security Research Analyst @ Cisco Umbrella (formerly OpenDNS) in San Francisco since 2015 Previously a System Administrator

More information

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE

More information

Executive Summary. Passive Detection of Misbehaving Name Servers

Executive Summary. Passive Detection of Misbehaving Name Servers Passive Detection of Misbehaving Name Servers Leigh B. Metcalf, Jonathan M. Spring CERT Network Situational Awareness Group netsa-contact@cert.org Publication NetSA-2012-01 January 2012 Executive Summary

More information

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY Ebook: THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY From A Record & DNS to Zones 603 668 4998 Your Master List of Key DNS Terms As more users and more online services (sites, microservices, connected things,

More information

Cisco Threat Intelligence Director (TID)

Cisco Threat Intelligence Director (TID) The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident

More information

All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems

All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems All Your Payment Tokens Are Mine: Vulnerabilities of Mobile Payment Systems Speaker: Zhe Zhou, zhouzhe@fudan.edu.cn Pre-Tenure Associate Professor, School of Computer Science, Fudan University, China This

More information

McAfee Network Security Platform

McAfee Network Security Platform Revision B McAfee Network Security Platform (8.1.7.5-8.1.3.43 M-series Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product

More information

Configuring Geo-IP Filters

Configuring Geo-IP Filters Configuring Geo-IP Filters NOTE: The Geo-IP Filtering feature is available on TZ300 series and above appliances. The Geo-IP Filter feature allows you to block connections to or from a geographic location.

More information

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing AS-CRED: Reputation Service for Trustworthy Inter-domain Routing Krishna Venkatasubramanian Computer and Information Science University of Pennsylvania ONR MURI N00014-07-1-0907 Review Meeting June 10,

More information

DNS Security. *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

DNS Security. *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi DNS Security *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html 1 IT352 Network Security Najwa AlGhamdi Introduction The DNS provides a mechanism that resolves Internet host names into IP addresses

More information

Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter CHAPTER 51 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary

More information

ThousandEyes for. Application Delivery White Paper

ThousandEyes for. Application Delivery White Paper ThousandEyes for Application Delivery White Paper White Paper Summary The rise of mobile applications, the shift from on-premises to Software-as-a-Service (SaaS), and the reliance on third-party services

More information

Measuring Global DNS Propagation Times Using RIPE Atlas. Bachelor Thesis by Tim Wattenberg RIPE Regional Meeting Almaty, Kazakhstan

Measuring Global DNS Propagation Times Using RIPE Atlas. Bachelor Thesis by Tim Wattenberg RIPE Regional Meeting Almaty, Kazakhstan Measuring Global DNS Propagation Times Using RIPE Atlas Bachelor Thesis by Tim Wattenberg RIPE Regional Meeting Almaty, Kazakhstan About me - 25 years old, from Cologne/Germany - graduated from Heinrich

More information

Detecting and Quantifying Abusive IPv6 SMTP!

Detecting and Quantifying Abusive IPv6 SMTP! Detecting and Quantifying Abusive IPv6 SMTP Casey Deccio Verisign Labs Internet2 2014 Technical Exchange October 30, 2014 Spam, IPv4 Reputation and DNSBL Spam is pervasive Annoying (pharmaceuticals) Dangerous

More information

Categorization of Phishing Detection Features. And Using the Feature Vectors to Classify Phishing Websites. Bhuvana Namasivayam

Categorization of Phishing Detection Features. And Using the Feature Vectors to Classify Phishing Websites. Bhuvana Namasivayam Categorization of Phishing Detection Features And Using the Feature Vectors to Classify Phishing Websites by Bhuvana Namasivayam A Thesis Presented in Partial Fulfillment of the Requirements for the Degree

More information

Security Annex for DDoS Additional Terms for DDoS Protection

Security Annex for DDoS Additional Terms for DDoS Protection CONTENTS 1 Glossary of Terms & Definitions... 2 2 Service Description... 2 2.1 Installation and Service Provision... 2 2.2 Cleaning and Mitigation... 3 2.3 Mitigation Limitations... 3 2.4 DDoS Attack Monitoring...

More information

BotNet Traffic Filter Issue with Adaptive Security Appliance

BotNet Traffic Filter Issue with Adaptive Security Appliance BotNet Traffic Filter Issue with Adaptive Security Appliance Contents Introduction Background Information Troubleshoot Workflow Step 1: Check the Dynamic Filter Database Step 2: Ensure DNS Traffic Crosses

More information

«On the Internet, nobody knows you are a dog» Twenty years later

«On the Internet, nobody knows you are a dog» Twenty years later «On the Internet, nobody knows you are a dog» Twenty years later This lecture is about identity and authenticity, but also other security properties. It is largely about the Internet, but some of this

More information

Access Control Using Intrusion and File Policies

Access Control Using Intrusion and File Policies The following topics describe how to configure access control policies to use intrusion and file policies: About Deep Inspection, page 1 Access Control Traffic Handling, page 2 File and Intrusion Inspection

More information

How to Configure Route 53 for F-Series Firewalls in AWS

How to Configure Route 53 for F-Series Firewalls in AWS How to Configure Route 53 for F-Series Firewalls in AWS If you are running multiple stacks in different AWS regions, or multiple deployments in a single region, you must configure AWS Route 53 to access

More information

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC

More information

Symantec Protection Suite Add-On for Hosted Security

Symantec Protection Suite Add-On for Hosted  Security Symantec Protection Suite Add-On for Hosted Email Security Overview Malware and spam pose enormous risk to the health and viability of IT networks. Cyber criminal attacks are focused on stealing money

More information

Domain Name System - Advanced Computer Networks

Domain Name System - Advanced Computer Networks - Advanced Computer Networks Saurabh Barjatiya International Institute Of Information Technology, Hyderabad 26 August, 2011 Contents 1 Distributed database, highly volatile Domain names Top level domains

More information

Domain Name System.

Domain Name System. Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps

More information

Regular Paper Classification Method of Unknown Web Sites Based on Distribution Information of Malicious IP addresses

Regular Paper Classification Method of Unknown Web Sites Based on Distribution Information of Malicious IP addresses International Journal of Informatics Society, VOL.10, NO.1 (2018) 41-50 41 Regular Paper Classification Method of Unknown Web Sites Based on Distribution Information of Malicious IP addresses Shihori Kanazawa

More information

CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB

CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB CIS 601: Graduate Seminar Prof. S. S. Chung Presented By:- Amol Chaudhari CSU ID 2682329 AGENDA About Introduction Contributions Background

More information