Tracking Evil with Passive DNS

Transcription

1 Tracking Evil with Passive DNS Bojan Ždrnja, CISSP, GCIA, GCIH INFIGO IS

2 Who am I? Senior information security consultant with INFIGO IS (Croatia) Mainly doing penetration testing Various duties at SANS Internet Storm Center Handler Mostly known for reverse engineering malware SANS GREM (GIAC Reverse Engineering Malware) course co-author Advisory Board Member Honorary researcher at the University of Auckland, New Zealand This is were I started working with passive DNS

3 Agenda What is passive DNS? DNSParseNG Project overview and current status Data mining Tracking evil and much, much more Future development

4 Domain name system (DNS) DNS is a critical part of the Internet The DNS maps hostnames to IP addresses DNS is distributed Great for high availability Each server is responsible only for its zone We are interested in 4-tuple answers: Question Resource record type Answer TTL

5 Why we need DNS data replication? DNS allows multiple mappings Forward multiple mappings are very common Reverse multiple mappings very rare History of any DNS changes is permanently lost DNS keeps no information about previous records Only the owner knows what happened The idea behind this Let s capture DNS data (questions and answers) so we can do research on it

6 Acquiring DNS data Various ways of acquiring DNS data We can mirror DNS zones off servers But we need access to various zones for that We can actively resolve DNS names We do not know what to look for We can passively sniff network and store seen DNS traffic Practical in huge environments since we can monitor only gateway traffic No changes required to clients or servers This is how passive DNS replication works

7 Passive DNS replication Initial idea by Florian Weimer in 2004 He was with RUS-CERT Only limited data available ISC s Security Information Exchange DNSParse (and DNSParseNG) Research project at the University of Auckland Data available from 2006 More than 1.5 billion records in the database Available to security researchers

8 How DNSParseNG works Passive sensors monitor network traffic and collect DNS packets Collected traffic is parsed to eliminate duplicates Sensor runs a special utility The utility generates plain text files Sensors upload parsed data (and anonymized, if needed) to the central collector Uploads through SCP (SSH) Uploads are identified only by sensor All information about query and answer sources is removed

9 How DNSParseNG works Data is collected with tcpdump We are interested only in authoritative DNS responses ID Q R Opcode A A T C R D R A Z RCODE QDCOUNT ANCOUNT NSCOUNT ARCOUNT udp port 53 and ( udp[10] & 0x04!= 0 )

10 Introducing DNSParseNG Collector stores retrieved data Specially optimized database Main data stored in sharded hash tables in a MySQL database Timestamps stored in Tokyo Cabinet files Hosted on a single machine (!) Currently uses around 600 GB of disk space Web interface available Automated queries possible through HTTPS Data returned in HTML, XML, JSON Easy integration with other systems

11 DNSParseNG web interface Username: csm-ace Password: passive

12 Huge amounts of data

13 Data mining Passive DNS contains data not available anywhere else Some simple examples Show all domain names mapped to a single IP address Show history of changes for any domain name Show when a particular entry was seen first and last time Useful for detecting new domain names Show what different sensors are seeing Do we have DNS cache poisoning? Or simply geo-ip localization?

14 New data Initial expectation was that newly seen records will not grow linearly Data locality Not true due to spammers and malware authors New domains get registered constantly We can inspect newly seen domains Is a large number of new domains seen per sensor? Very useful for detecting phishing attempts

15 Detection of phishing attempts Early warnings for popular sites/domain names Very useful for banks! Already used by various AV vendors, banks, Facebook Processed when importing new domains If a domain matches our name Check if this domain has been seen before If not, raise an alert and send False positives for legitimate names seen first time

16 Detection of phishing attempts Catch phishing attempts such as Or Or We can also check what else is hosted on these servers As long as one of our sensors has seen it Help us make decision DEMO If it is a compromised server Or simply a bad server/network/operator

17 Typo squatting domains Sometimes used in phishing attacks Or simply for marketing/advertisements DNSParse contains millions of typo squatting domains Sometimes can be detected automatically They show what our users visited Especially dangerous with wildcard typo squatting domains Real domain is

18 Typo squatting domains Every record shown was visited by at least one user Since the IP addresses are changing we can geo-locate them Moving across continents is not usual Example: aukland.ac.nz A record This is Texas, USA A record This is New York, USA A record This is Christchurch, New Zealand

19 And more typo squatting domains Sometimes spammers use single host High number of domain name <-> IP address mappings Not an exclusive sign of badness, of course But when we add reputation Any new domain on this IP address is probably bad Let us take a look at

20 Fast flux domains High number of records for a single domain name Mappings of a domain name to IP address change frequently This is single fast flux Double fast flux Besides IP address mappings NS records change as well Both of these can be used for legitimate purposes as well Popular with CDNs

21 Fast flux domains We can automatically detect some Current work uses a linear classifier Calculate a flux score as function of Number of unique A records TTL values Unique ASNs We can even correlate this with real geographical location Registrar Domain age Exclude well known fast-flux-like domains For example, Akamai

22 Fast flux domains Work by Jin Liu, University of Auckland

23 Fast flux domains Classical bad example: Storm worm Used the tibeam.com domain FakeAV/RogueAV Certain groups use fast flux Example: etyj.ru Content Delivery Networks can be problematic Example: Akamai lb1.

24 Record reputation DNSParseNG has a field for reputation of every record Mark potentially evil records Is an IP address/network evil? Or attackers use only one NS server? If yes, if NS server s reputation is bad we know that every new domain that uses it is bad too Example: dns1.ip4dns.com Not used any more All domains using it are bad in the database

25 Reverse DNSParse Instead of answers, we collect questions Together with the source We are interested in 4-tuples Source IP address Source network port DNS question Domain name Resource Record Destination NS server Can help detect malicious/misbehaving clients on our networks

26 Reverse DNSParse Very simple detection of certain infected hosts Spamming machines tend to do a lot of MX lookups More than 5 per second? Alert We need to whitelist our server Lookups for known malicious hosts We can get feeds from various sources For example, Zeus tracker Why is our machine resolving a known C&C No matter what the AV said, this is an infected machine Or a security researcher we want to know about!

27 Future development We need more sensors! More sensors, better data Easy to apply, just me We can customize sensors as needed Add new query interfaces DNS query interface is ready (testing) Written by Chris Lee from Shadow Server Advanced data mining Automatic detection of evil domains Need to add reputation data on a large scale

28 Future development Improved alerting Simple keyword based alerting already working Proved useful for phishing domains Used by some high profile services Improved database searching Search by networks, IP addresses, names, neighbors Add support for secure DNS, more record types Add bailiwick data, prevent poisoning

29 Thank you for your attention!