Passive Detection of Misbehaving Name Servers

Similar documents
Encounter Complexes For Clustering Network Flow

SEI/CMU Efforts on Assured Systems

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

Netflow in Daily Information Security Operations

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

Analyzing 24 Years of CVD

Situational Awareness Metrics from Flow and Other Data Sources

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

The CERT Top 10 List for Winning the Battle Against Insider Threats

Defining Computer Security Incident Response Teams

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Inference of Memory Bounds

Components and Considerations in Building an Insider Threat Program

Panel: Future of Cloud Computing

2013 US State of Cybercrime Survey

Cyber Hygiene: A Baseline Set of Practices

ARINC653 AADL Annex Update

Julia Allen Principal Researcher, CERT Division

Information Security Is a Business

Design Pattern Recovery from Malware Binaries

Software Assurance Education Overview

Denial of Service Attacks

Modeling the Implementation of Stated-Based System Architectures

Cyber Threat Prioritization

Prioritizing Alerts from Static Analysis with Classification Models

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Roles and Responsibilities on DevOps Adoption

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

OSATE Analysis Support

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Automated Provisioning of Cloud and Cloudlet Applications

Engineering Improvement in Software Assurance: A Landscape Framework

Executive Summary. Passive Detection of Misbehaving Name Servers

Report Writer and Security Requirements Finder: User and Admin Manuals

Using CERT-RMM in a Software and System Assurance Context

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

Smart Grid Maturity Model

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Fall 2014 SEI Research Review Verifying Evolving Software

Providing Information Superiority to Small Tactical Units

Verifying Periodic Programs with Priority Inheritance Locks

Foundations for Summarizing and Learning Latent Structure in Video

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

The Insider Threat Center: Thwarting the Evil Insider

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Semantic Importance Sampling for Statistical Model Checking

Effecting Large-Scale Adaptive Swarms Through Intelligent Collaboration (ELASTIC)

Researching New Ways to Build a Cybersecurity Workforce

Current Threat Environment

Strip Plots: A Simple Automated Time-Series Visualization

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Measuring the Software Security Requirements Engineering Process

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

Tracking Evil with Passive DNS

DOS AND DON'TS OF DEVSECOPS

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Architectural Implications of Cloud Computing

Integrating the Risk Management Framework (RMF) with DevOps

Elements of a Usability Reasoning Framework

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Secure Coding Initiative

Reasoning About Programs Panagiotis Manolios

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

The Need for Operational and Cyber Resilience in Transportation Systems

MARRAKECH RSSAC Public Session. MARRAKECH RSSAC Public Session Wednesday, March 09, :00 to 15:30 WET ICANN55 Marrakech, Morocco

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

An Incident Management Ontology

Open Systems: What s Old Is New Again

The Priority Ceiling Protocol: A Method for Minimizing the Blocking of High-Priority Ada Tasks

Five Keys to Agile Test Automation for Government Programs

Pharos Static Analysis Framework

Carnegie Mellon University Notice

SAME Standard Package Installation Guide

Improving Software Assurance 1

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Best practices. Defining your own EGO service to add High Availability capability for your existing applications. IBM Platform Symphony

Biological Material Transfer Agreement. between (PROVIDER) and. Date: A. Specific Terms of Agreement (Implementing Section)

GraphBLAS: A Programming Specification for Graph Analysis

Automated Code Generation for High-Performance, Future-Compatible Graph Libraries

Modeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Fun with Flow. Richard Friedberg rf [at] cert.org Carnegie Mellon University

Data Structures and Algorithms Dr. Naveen Garg Department of Computer Science and Engineering Indian Institute of Technology, Delhi.

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Model-Driven Verifying Compilation of Synchronous Distributed Applications

TUNISIA CSIRT CASE STUDY

Challenges and Progress: Automating Static Analysis Alert Handling with Machine Learning

Scheduling Sporadic and Aperiodic Events in a Hard Real-Time System

How To Upload Your Newsletter

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

SSAC Fast Flux Activities

Managing DNS Firewall

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Transcription:

Passive Detection of Misbehaving Name Servers Based on CMU/SEI-2013-TR-010 Jonathan Spring, Leigh Metcalf netsa-contact (AT) cert.org Flocon 2014, Charleston SC 2014 Carnegie Mellon University

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon, CERT and FloCon are registered marks of Carnegie Mellon University. DM-0000866 2

Agenda Background on Fast Flux Motivation shortcomings Data sources and method Results NS that do IP flux. So what? Future questions What to do about it flow analysis 3

About me pdns analysis since May 2009 netflow analysis since Nov 2010 My work in both of these got a lot better when Leigh and I started collaborating because she does a lot of hard stuff I can t do. I also teach Network Security at U of Pittsburgh I also co-authored a textbook (Introduction to Information Security: A Strategic-based Approach) So.I think this means you should listen to me Besides that the work is decent 4

Fast Flux so last decade In early 2008, the ICANN SSAC detailed fast flux networks In case you ve forgotten: One domain uses multiple IPs Optionally, one IP hosts multiple related domains If both, we have a malicious CDN SSAC Advisory on Fast Flux Hosting and DNS. ICANN TR# SAC-025. 5

Fast Flux so last decade (II) http://www.honeynet.org/book/export/html/130 Special thanks to William Salusky & Robert Danford 6

So why am I talking about this now? A bunch of people talked about fast flux domains for delivering malicious software and add redirection Standard approach: find and block the domains Realization: Whack-a-mole is tiring. Second realization: Whack-a-mole is actually impossible to win If you want more about this, ask about my APWG ecrs paper Modeling Malicious Domain Name Take-down Dynamics: Why ecrime Pays 7

How can we jump out ahead? Domains need two things: Location (A, AAAA, or CNAME) NS IP works fine reactively, and reputation for some AS But it s hard to jump out ahead Name servers, then! 8

Two sources Zone files Pro: Con: Complete for the zones we have Only have gtlds (by policy), updated daily Passive DNS Pro: Con: Visibility across TLDs, finer time resolution Incomplete; no data until someone issues the query 9

Process 1. Look for name servers that move IP addresses. 2. Map IPs to ASNs, and look at IP changes that also change ASN. 3. Since NS are more stable, the parameters for fast flux need to be adjusted. This is the key point NS are by definition stable. In a CDN, Akamai e.g., each NS does not change IP. They may change what NS you point to, but the NS is stable. 10

Surprise! There are suspicious name servers 11

In Zone Files (2011) # Changes # NS change IP % of total # NS change ASN % of total 0 2734327 97.8% 2754332 98.5% 1 52741 1.9% 36645 1.3% 2 4855 0.2% 1846 0.1% 3 551 0.0197% 635 0.0227% 4 198 0.0071% 838 0.0300% 5 233 0.0083% 531 0.0190% 6 482 0.0172% 500 0.0179% 7 660 0.0236% 401 0.0143% 8 706 0.0252% 224 0.0080% 9 607 0.0217% 30 0.0011% 10 478 0.0171% 19 0.0007% 11 138 0.0049% 9 0.0003% more 152 0.0053% 118 0.0041% 12

In Passive DNS (2011) # Changes # NS change IP % of total # NS change ASN % of total 0 1846152 95.8% 1877654 97.5% 1 68401 2.4% 40422 1.4% 2 5134 0.2% 3276 0.1% 3 1420 0.0508% 1232 0.0441% 4 1177 0.0421% 966 0.0345% 5 1123 0.0402% 684 0.0245% 6 566 0.0202% 450 0.0161% 7 535 0.0191% 388 0.0139% 8 439 0.0157% 279 0.0100% 9 322 0.0115% 220 0.0079% 10 248 0.0089% 152 0.0054% 11 140 0.0050% 76 0.0027% more 710 0.0254% 568 0.0204% 13

Following this out 2 years NS that changed IP 5+ times within 30 days: Pharmarelated All NS 14

proportion Is the flux really fast? Well, no. But most NS record TTLs are quite long. Note log-log scale. 82.3% of pdns TTLs are 1 of 3 values [1 hour, 1 day, 2 days] (760M records) 15

So what? NS flux is rather slow But a high confidence indicator. Also, blocking the NS has a bigger effect than blocking a single domain. I don t think anyone looks at this in order to block things. Does anyone here? Has anyone tried and not had success? 16

Future Work I could try to Prove that these NS are bad I can t run incidents to ground at Internet scale, but I could try taking a sample. And intersecting with a dozen or more black lists is, surprisingly, not necessarily fruitful A CERT white paper (CERTCC-2013-39) details this http://www.cert.org/netsa/publications/blacklists_certcc-2013-39.pdf Continue to keep track of this, for awareness of badness. 17

Practically flow analysis You can keep track of this at your NS and prevent it from talking to these suspicious domains Request Policy Zone in BIND, for example For those of you that don t have RPZ installed Track DNS requests to these NS in flow Since the NS s IPs only change on the order of hours, a cron to update an IP set would be reasonable. rwfilter --dipset=flux_ni.set --dport=53 If you ve got a enterprise-wide recursive server that everyone should use, you should only see the 1 IP talking out 18

rwfilter --dipset=flux_ni.set --dport=53 Notes Assumes flow sensor at the edge If you ve got a enterprise-wide recursive server that everyone should use, you should only see the 1 source IP talking out If you find client machines directly making DNS requests to suspicious NS, avoiding the usual recursers, that s worse news 19

Questions/comments? netsa-contact (AT) cert.org 2014 Carnegie Mellon University

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback