Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

Similar documents
Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Luminous: Bringing Big(ger) Data to the Fight

P2P Botnet Detection through Malicious Fast Flux Network Identification

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure

Discovering new malicious domains using DNS and big data Case study: Fast Flux domains. Dhia Mahjoub OpenDNS May 25 th, 2013

Detecting Malicious Web Links and Identifying Their Attack Types

DNS Anomaly Detection

A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION

TempR: Application of Stricture Dependent Intelligent Classifier for Fast Flux Domain Detection

Tracking Evil with Passive DNS

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

An Eye on the Storm: Inside the Storm Epidemic. Josh Ballard Network Security Analyst Kansas State University

Passive Detection of Misbehaving Name Servers

Use Cases. E-Commerce. Enterprise

SSAC Fast Flux Activities

Identifier Technology Health Indicators (ITHI) Alain Durand, Christian Huitema 13 March 2018

The Domain Abuse Activity Reporting System (DAAR)

GNSO Issues Report on Fast Flux Hosting

Real-Time Detection of Fast Flux Service Networks

Detecting Abuse in TLDs

Temporal Correlations between Spam and Phishing Websites

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

The evolution of malevolence

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Naming in Distributed Systems

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Intelligent and Secure Network

DNSSM: A Large Scale Passive DNS Security Monitoring Framework

Web Portal User Manual for

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Chapter 2 Malicious Networks for DDoS Attacks

Sponsor s Monthly Report for.coop TLD

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

APNIC Cooperation SIG: Anti-Abuse Community Development

Botnet Population and Intelligence Gathering Techniques

DNS Security. Ch 1: The Importance of DNS Security. Updated

Update on Whois Studies

Configuring Botnet Traffic Filtering Using Cisco Security Manager 4.0

Dell SonicWALL Secure Mobile Access 8.5. Geo IP & Botnet Filters Feature Guide

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Botnet Communication Topologies

Passive DNS Replication

Detecting Malicious URLs. Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker. Presented by Gaspar Modelo-Howard September 29, 2010.

Techniques, Tools and Processes to Help Service Providers Clean Malware from Subscriber Systems

THE ACCENTURE CYBER DEFENSE SOLUTION

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage

Network Protocols. DNS Intel *slightly modified public version of another talk. TDC 375 Autumn 2009/10 John Kristoff DePaul University 1

Avoiding Information Overload: Automated Data Processing with n6

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Trisul Network Analytics - Traffic Analyzer

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

WHOIS High-Level Technical Brief

PyNetSim A modern INetSim Replacement. Jason Jones FIRST 2017

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

This video will look at how to create some of the more common DNS records on Windows Server using Remote Administration Tools for Windows 8.

Registrar Session ICANN Contractual Compliance

A Heuristic Approach for the Detection of Malicious Activity at Autonomous System

Sponsor s Monthly Report for.coop TLD

S Computer Networks - Spring What and why? Structure of DNS Management of Domain Names Name Service in Practice

Expiration Date: May 1997 Randy Bush RGnet, Inc. November Clarifications to the DNS Specification. draft-ietf-dnsind-clarify-02.

OpenDNS DNS Database Client Library Documentation

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Use Cases. Media & Telecom. Enterprise

Endpoint Protection : Last line of defense?

(Botnets and Malware) The Zbot attack. Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

DATA SCIENCE OR BLACK MAGIC CYBERSECURITY THREATS IN CANADA

Botnet Detection. Botnet Detection for Communications Service Providers

How to Add Domains and DNS Records

MISHIMA: Multilateration of Internet hosts hidden using malicious fast-flux agents (Short Paper)

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Passive DNS. Using the DNS for fun and profit. Alexandre Dulaunoy. March 4, Alexandre Dulaunoy Passive DNS

Business Continuity Management

PROFOX ASSOCIATES, INC. Oximetry: Comprehensive Report Comments: Overnight study breathing room air.

May the (IBM) X-Force Be With You

Automating Security Response based on Internet Reputation

SURBL-Listed Domains And Their Registrars (In Just Seven or Eight Minutes)

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures

Multidimensional Investigation of Source Port 0 Probing

HELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE

Covert channel detection using flow-data

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Managing Caching DNS Server

Configuring the Botnet Traffic Filter

Network Protocols. Domain Name System (DNS) TDC375 Autumn 2010/11 John Kristoff - DePaul University 1

Global Phishing Survey 2H2009

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

ARIN Policies How to Qualify for Number Resources. Leslie Nobile

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Detection of DNS Traffic Anomalies in Large Networks

8 Must Have. Features for Risk-Based Vulnerability Management and More

Transnational Anti-Abuse Working Group (AAWG) Development

Transcription:

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

Project o ATLAS - global Internet monitoring o Fast flux - used to discover bots/infected hosts Active probing o Added to ATLAS Q1 2008 Page 2

Operational Uses o Tracking botnets o Storm, Rock phishing, etc Page 3

Observations o Storm - sometimes used o Rock phish - used heavily o Other spam, phishing - used often o Malcode distribution - Spring 08 SQL injection Page 4

Botnet Visibility o Botnets need good server management when using fast flux o Let them do the host qualifications o Only globally unique IP addresses o Other factors - uptime, speed - vary Page 5

Botnet Visibility via DNS Mining ~10%? Page 6

24 Hours of Fast Flux Bots Page 7

Calling it Fast Flux o Heuristics o Based on discussions with R. Danford, T. Holz o Using Danford s heuristics as base Page 8

Qualifying Fast Flux Domain Names o Domain name - A record query o Short TTL - under 900 sec o TTL < 2 treated specially, aggressively o More than 5 IPs o IP list has average distance > /16 More than 8 IPs? Score is +2 o IP list has more than 2 ASNs represented o Page 9

Qualifying Fast Flux Domain Names ;; ANSWER SECTION: clickbnr.com. 600 IN A 96.28.27.85 clickbnr.com. 600 IN A 71.204.120.243 clickbnr.com. 600 IN A 88.168.128.191 clickbnr.com. 600 IN A 75.181.90.242 clickbnr.com. 600 IN A 72.226.191.199 clickbnr.com. 600 IN A 76.18.84.109 clickbnr.com. 600 IN A 67.185.50.195 clickbnr.com. 600 IN A 74.65.213.40 clickbnr.com. 600 IN A 71.56.67.60 clickbnr.com. 600 IN A 66.90.158.152 clickbnr.com. 600 IN A 76.31.155.100 clickbnr.com. 600 IN A 24.164.58.120 clickbnr.com. 600 IN A 71.201.126.62 clickbnr.com. 600 IN A 84.25.70.94 TTL < 900sec - TTL < 2sec treated special Page 10 More than 5 IPs in RRset Avg. Distance > /16 -More than 8 IPs? +2 More than 2 ASNs

Qualifying Fast Flux Domain Names (cont) o Domain name NS query o NS results average distance > /16 o More than 3 NS entries o SOA query o Minimum retry < 15min Page 11

Qualifying Fast Flux Domains (cont) ;; ANSWER SECTION: clickbnr.com. 600 IN NS ns6.clickbnr.com. clickbnr.com. 600 IN NS ns8.clickbnr.com. clickbnr.com. 600 IN NS ns4.clickbnr.com. clickbnr.com. 600 IN NS ns2.clickbnr.com. clickbnr.com. 600 IN NS ns10.clickbnr.com. clickbnr.com. 600 IN NS ns9.clickbnr.com. clickbnr.com. 600 IN NS ns11.clickbnr.com. clickbnr.com. 600 IN NS ns7.clickbnr.com. clickbnr.com. 600 IN NS ns5.clickbnr.com. clickbnr.com. 600 IN NS ns1.clickbnr.com. clickbnr.com. 600 IN NS ns3.clickbnr.com. ;; ADDITIONAL SECTION: ns5.clickbnr.com. 600 IN A 75.129.134.139 ns6.clickbnr.com. 600 IN A 68.202.106.222 ns7.clickbnr.com. 600 IN A 75.137.93.12 ns8.clickbnr.com. 600 IN A 83.5.235.157 ns9.clickbnr.com. 600 IN A 71.59.102.113 ns10.clickbnr.com. 600 IN A 79.184.34.183 ns11.clickbnr.com. 600 IN A 89.228.212.197 More than 3 NS entries Avg. Distance > /16 Page 12

Qualifying Fast Flux Domain Names (cont) o Each attribute is 1 pt o If more than 4 points - fluxy o Exclude whitelist behaviors o Confirm with SURBL If not, just suspect Page 13

Benign Fast Flux Symptoms ;; ANSWER SECTION: database.clamav.net. 60 IN CNAME db.local.clamav.net. db.local.clamav.net. 7200 IN CNAME db.us.rr.clamav.net. db.us.rr.clamav.net. 900 IN A 64.246.134.219 db.us.rr.clamav.net. 900 IN A 155.98.64.86 db.us.rr.clamav.net. 900 IN A 199.239.233.95 db.us.rr.clamav.net. 900 IN A 209.170.150.7 ;; AUTHORITY SECTION: rr.clamav.net. 7200 IN NS ns3.clamav.net. rr.clamav.net. 7200 IN NS ns7.clamav.net. rr.clamav.net. 7200 IN NS ns5.clamav.net. rr.clamav.net. 7200 IN NS ns2.clamav.net. rr.clamav.net. 7200 IN NS ns6.clamav.net. rr.clamav.net. 7200 IN NS ns1.clamav.net. rr.clamav.net. 7200 IN NS ns4.clamav.net. ;; ADDITIONAL SECTION: ns2.clamav.net. 101522 IN A 63.166.28.2 ns4.clamav.net. 94322 IN A 209.9.232.3 ns5.clamav.net. 108723 IN A 213.92.8.2 ns5.clamav.net. 70221 IN AAAA 2001:1418:13:1::1 ns6.clamav.net. 94322 IN A 208.201.249.238 ns7.clamav.net. 101522 IN A 209.204.159.15 ns1.clamav.net. 69122 IN A 69.61.68.204 Page 14

Code and Components o Python o High speed DNS query engine Libevent - evdns GNU adns o ATLAS data stores Time series data Geo-lookups of IPs Query front end Page 15

ATLAS Querying o Every TTL+1, run queries o Store results o Dead detection After 1 day of failure to grow, prune from list 0 IPs (eg pulled domain) or a parked domain name Page 16

Discovering Domains o Implemented qualifying domain name screening tool o Data sources Spam feed DNS names from malcode analysis Malware, spam domains lists o Added manually Page 17

Assessing Domain Discovery Methods o Looked at interval between domain name registration date and first seen actively fluxing o Average interval: 28.8 days o Minimum 0.4 days o Maximum 263.6 days o Possible reasons ATLAS visibility (e.g. weak spam feed) Sleeper domains Page 18

Global Fast Flux Trends o Domains in use by one botnet o Simple set-based approach to peek Net1 Net2 Net1 Net2 Near 0: no common members Near 1: same botnet Page 19

Active Fast Flux Botnets o 428 active domains analyzed May 30, 2008-24 hour snapshot o Results 26 active and distinct clusters Indicates 26 active botnets using fast flux techniques Some failures to cluster Page 20

Botnet Purposes o Based on post-facto analysis of 26 clusters 1 Casino 1 Enlargement 4 Malware 10 Pharmacy 13 Phishing Data assistance from CastleCops, PhishTank Some are used for multiple purposes Page 21

Multiple infections? Partial overlaps? Partial advertisements? Based on 24h snapshot, June 2 2008 Page 22

6 Months of Data o Starting with our ATLAS fast flux tracking o Data: Jan 18 - June 4, 2008 o 912 domains monitored Page 23

Increasingly Global Registrar Problem o gtlds used by fast flux domains Broader distribution than found in Holz et al, 2007 Page 24

Lifetimes o Average: 18.5 days o Longest 60 days+ (ibank-halifax.com) 59 days+ (armsummer.com) 57 days+ (croptriangle.com) Based on dates of first to last tracking Page 25

Sizes o Average size: 2683 IPs (cumulative) o Largest nets: ibank-halifax.com, 100,379 IPs armsummer.com, 14,233 IPs boardhour.com, 11,900 IPs Page 26

Mitigation o Local DNS blocklist methods o Global Kill domain with registrar Kill mothership o Getting tougher with new features from registrars o ICANN SSAC Page 27

Fast Flux Data Availability o ATLAS public portal o Free accounts o Recently added domain list o Actively tracks 400-600 fast flux domains a day Page 28

Missing Data o Registrar data Would be valuable Key for cleanup, remediation o Malcode/family o Content/purpose Inferred post-facto o NS records Double flux Common NS, hosting nets Page 29

Acknowledgements o ATLAS, ASERT teams at Arbor o Robert o Thorsten o Jeff and William (SURBL) o Carol and everyone at FIRST Page 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback