DNS Forensics & Protection: Analyzing and Securing Network Traffic

Slide Note
Embed
Share

DNS Forensics involves using DNS traffic to analyze network health, detect anomalous behavior, and combat malicious activities. By understanding DNS activity on systems and implementing defense strategies, users and network providers can enhance security and privacy.

hanish
hanish Follow

Uploaded on Sep 17, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. DNS Forensics & Protection Paul V. Mockapetris UPMC / Nominum

  2. Why DNS Forensics? The Domain Name System (DNS) has long been used to estimate the population of the Internet and is used heavily by almost all network applications, whether normal or malicious. DNS traffic can be thought of as the "pulse, blood pressure and temperature" of the net. The opportunity is to use DNS traffic to analyze network health and activity, recognize anomalous behavior, and then detect and defeat malicious activity

  3. Qui Bono? End user can understand activity, vulnerabilities and take countermeasures. Rogue Hot spots / Kaminsky Virus infections (botnet C & C) Network provider can Prevent and inhibit malware activity Understand and optimize traffic Warn re undesired content Obvious privacy concerns

  4. DNS activity on my XP system after power switched on wpad. cr-tools.clients.google.com. bw-printer-4.nominum.com. 122.245.86.74.in-addr.arpa. download632.avast.com. 158.71.43.208.in-addr.arpa. color-printer-1.nominum.com. download894.avast.com. color-printer-2.nominum.com. color-printer-3.nominum.com. 26.38.133.174.in-addr.arpa. IN A IN A IN A IN PTR IN A IN PTR IN A IN A IN A IN A IN PTR

  5. After login cr-tools.clients.google.com. armmf.adobe.com. clients1.google.com. armdl.adobe.com. IN A IN A IN A IN A

  6. Start Firefox desktop4.google.com. finance.yahoo.com. l.yimg.com. ads.yldmgrimg.net. ads.bluelithium.com. query.yahooapis.com. ad.doubleclick.net. ad.wsod.com. ad.yieldmanager.com. s0.2mdn.net. yui.yahooapis.com. e.yimg.com. us.bc.yahoo.com. admedia.wsod.com. streamerapi.finance.yahoo.com. a.l.yimg.com. IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A

  7. The Lifecycle of a Bot Network Botnet C&C Bot Master 3. Bot gets instructions from Command and Control (C&C) server Where to address the issue? 2. User visits site and is infected via drive by download Malware and becomes part of Botnet 1. Spam entices user to badsite.com 4. Steal confidential data and upload to a drop site Innocent User

  8. Layering the Defense Use DNS to distribute real time threat information Using that: 1. Block or warn the user about spam or web pages that seek to lure the user to infection sites. Block or warn the user about downloads from malware sites. Block command and control server activities. Block exfiltration of data to known bad sites. Learn about the sites that infections access. Use that information to update the reputation feed. 2. 3. 4. 5. 6.

  9. DNS and the Future of Cyber Defense Botnet C&C Bot Master 3 Bot gets instructions from Command and Control (C&C) server 2 User visits site and is infected via drive by download Malware and becomes part of Botnet 1 Spam entices user to badsite.com 4 Steal confidential data and upload to a drop site Innocent User

  10. Ideal Case Network Protection Center Data Processing System Data Import System Outside Threat Source Data ISP reputation data Server log External DNS lookups Vantio DNS Servers DNS queries

  11. Sizing Typical Case: 2 redundant DS servers Assume 50,000 users Server peak query rate 50,000 - 1,300,000 Q/S 80% handled from cache 1 query = 1 response 20% involve traffic to other servers Botnets that don t want to be found

  12. Real Case Network Protection Center Data Processing System Data Import System Outside Threat Source Data ISP reputation data Server log External DNS lookups Vantio DNS Servers DNS queries DNS queries to GoogleDNS, OpenDNS, AkamiDNS, Hotspot tunnels

  13. Real Sizing Sensors: Generate peak of 100-500 Mbyte/sec ? Mbytes/sec from port 53 taps? Anonymous that wants to DDOS Data Evaluation Inline that taxes server? Network center taxes backhaul (Hadoop anyone?)

  14. Last problem(s) We can t disrupt DNS service while we experiment with data filters We may want to run multiple filters & algorithms in parallel Some reputation data is hashed; most ISPs won t let us look at the data; everyone wants attribution for blocking rules

  15. PVM Theory 1: Privacy Bring DNSSEC protection to the user s machine. Let & encourage the user to use reputation data to edit DNS content. Let & encourage the user to outsource the operation to an ISP or other provided that user privacy is protected.

  16. PVM Theory 2: Mechanism Think of the DNS server & Port 53 tap logic as data flow problems, or perhaps pipes Two primary types Rapid filters inline in DNS server Export to Hadoop via big buffer Provide trusted and debug environments

Related


Understanding Domain Name System (DNS) and Content Distribution Networks (CDNs)

Understanding Domain Name System (DNS) and Content Distribution Networks (CDNs)

idecl
Understanding Domain Name Service (DNS) in Linux Network Administration

Understanding Domain Name Service (DNS) in Linux Network Administration

teey962
Automating DNS Maintenance with Catalog Zones: A New Approach

Automating DNS Maintenance with Catalog Zones: A New Approach

kkai
Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

norbert
Understanding Programmable Traffic Management for Network Optimization

Understanding Programmable Traffic Management for Network Optimization

humphrey
Understanding BGP and DNS Worms in Network Security

Understanding BGP and DNS Worms in Network Security

euey175
Introduction to Computer Forensics: Uncovering Digital Evidence

Introduction to Computer Forensics: Uncovering Digital Evidence

uram_iem
Understanding BIND DNS Security Vulnerabilities and Configuration

Understanding BIND DNS Security Vulnerabilities and Configuration

taki_11
Understanding DNS Replication with BIND9

Understanding DNS Replication with BIND9

rtoa
Strategies for Developing a National Nuclear Forensics Library

Strategies for Developing a National Nuclear Forensics Library

armaan
Understanding File Systems and Disk Basics in Computer Forensics

Understanding File Systems and Disk Basics in Computer Forensics

mpaul
EnCase Forensics: Official Study Guide Overview

EnCase Forensics: Official Study Guide Overview

azrael
Prioritizing Effective Traffic Management at the Workplace

Prioritizing Effective Traffic Management at the Workplace

indi
Traffic Flow Improvement at Gate 1 Pilot Project Overview

Traffic Flow Improvement at Gate 1 Pilot Project Overview

alix
Luxury Big Island SEO Report - February 2017 Summary

Luxury Big Island SEO Report - February 2017 Summary

hafsah
Engaging Traffic Education Lesson for Students at Shaistagonj Kamil Madrasah

Engaging Traffic Education Lesson for Students at Shaistagonj Kamil Madrasah

dkay
Understanding Traffic Engineering Analysis in Telecommunication Networks

Understanding Traffic Engineering Analysis in Telecommunication Networks

cason
Network Traffic Analysis with Wireshark: Examples and Techniques

Network Traffic Analysis with Wireshark: Examples and Techniques

tommy-lee
Biomedical Forensics: Solving Mysteries Through DNA Analysis

Biomedical Forensics: Solving Mysteries Through DNA Analysis

mans106
Kingwood Traffic Signals Overview and Updates

Kingwood Traffic Signals Overview and Updates

lyon
Preventing Road Traffic Injuries: A Global Perspective

Preventing Road Traffic Injuries: A Global Perspective

astat
Understanding Traffic Turning Tendency Surveys in Transportation Studies

Understanding Traffic Turning Tendency Surveys in Transportation Studies

kamau
Principles of Traffic Demand Analysis and Highway Demand Forecasting

Principles of Traffic Demand Analysis and Highway Demand Forecasting

lolarose
Understanding Traffic Response to Tolling: Insights from Research

Understanding Traffic Response to Tolling: Insights from Research

jerr_199

More Related Content

Understanding the Role of NCUTCD in Traffic Control Management
Understanding the Role of NCUTCD in Traffic Control Management
Network Design Challenges and Solutions in Business Data Communications
Network Design Challenges and Solutions in Business Data Communications
Understanding Network Denial of Service (DoS) Attacks
Understanding Network Denial of Service (DoS) Attacks
IEEE 802.11-21/1115r0 Traffic Prioritization Summary
IEEE 802.11-21/1115r0 Traffic Prioritization Summary
Understanding Snort: An Open-Source Network Intrusion Detection System
Understanding Snort: An Open-Source Network Intrusion Detection System
Traffic Volume Counting Methods and Analysis in Civil Engineering
Traffic Volume Counting Methods and Analysis in Civil Engineering
DNS Research Federation: Advancing Understanding of Cybersecurity Impact
DNS Research Federation: Advancing Understanding of Cybersecurity Impact
Upgrade Requirements, Challenges, and Solutions for Same-Server DoT Implementation
Upgrade Requirements, Challenges, and Solutions for Same-Server DoT Implementation
Country Names in the Domain Name System (DNS)
Country Names in the Domain Name System (DNS)
Modernizing Forensics: Transforming Strategies for Better Justice
Modernizing Forensics: Transforming Strategies for Better Justice
Understanding DNS Firewall Architecture at Virginia Tech
Understanding DNS Firewall Architecture at Virginia Tech
Enhancing Network Performance with RoCE Technology
Enhancing Network Performance with RoCE Technology
Understanding DNA Sequencing: Principles, Applications, and Techniques
Understanding DNA Sequencing: Principles, Applications, and Techniques
Guide to Setting Up a Computer Forensics Lab
Guide to Setting Up a Computer Forensics Lab
Computer Forensics: Capturing and Verifying Evidence
Computer Forensics: Capturing and Verifying Evidence
Digital Forensics Investigation Process Overview
Digital Forensics Investigation Process Overview
Exploring the Integration of Digital Forensics in Digital Curation Workflows
Exploring the Integration of Digital Forensics in Digital Curation Workflows
Protecting User Privacy in Web-Based Applications through Traffic Padding
Protecting User Privacy in Web-Based Applications through Traffic Padding
Traffic Analysis and Forensic Investigation Puzzle
Traffic Analysis and Forensic Investigation Puzzle
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Understanding Low-Intensity DoS Attacks on BGP Infrastructure
Understanding Low-Intensity DoS Attacks on BGP Infrastructure
Presto: Edge-based Load Balancing for Fast Datacenter Networks
Presto: Edge-based Load Balancing for Fast Datacenter Networks
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill
Understanding the General Data Protection Regulation (GDPR) and Data Protection Bill
Groundskeeping Safety and Personal Protective Equipment Training
Groundskeeping Safety and Personal Protective Equipment Training