DNS Forensics & Protection: Analyzing and Securing Network Traffic
DNS Forensics involves using DNS traffic to analyze network health, detect anomalous behavior, and combat malicious activities. By understanding DNS activity on systems and implementing defense strategies, users and network providers can enhance security and privacy.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
DNS Forensics & Protection Paul V. Mockapetris UPMC / Nominum
Why DNS Forensics? The Domain Name System (DNS) has long been used to estimate the population of the Internet and is used heavily by almost all network applications, whether normal or malicious. DNS traffic can be thought of as the "pulse, blood pressure and temperature" of the net. The opportunity is to use DNS traffic to analyze network health and activity, recognize anomalous behavior, and then detect and defeat malicious activity
Qui Bono? End user can understand activity, vulnerabilities and take countermeasures. Rogue Hot spots / Kaminsky Virus infections (botnet C & C) Network provider can Prevent and inhibit malware activity Understand and optimize traffic Warn re undesired content Obvious privacy concerns
DNS activity on my XP system after power switched on wpad. cr-tools.clients.google.com. bw-printer-4.nominum.com. 122.245.86.74.in-addr.arpa. download632.avast.com. 158.71.43.208.in-addr.arpa. color-printer-1.nominum.com. download894.avast.com. color-printer-2.nominum.com. color-printer-3.nominum.com. 26.38.133.174.in-addr.arpa. IN A IN A IN A IN PTR IN A IN PTR IN A IN A IN A IN A IN PTR
After login cr-tools.clients.google.com. armmf.adobe.com. clients1.google.com. armdl.adobe.com. IN A IN A IN A IN A
Start Firefox desktop4.google.com. finance.yahoo.com. l.yimg.com. ads.yldmgrimg.net. ads.bluelithium.com. query.yahooapis.com. ad.doubleclick.net. ad.wsod.com. ad.yieldmanager.com. s0.2mdn.net. yui.yahooapis.com. e.yimg.com. us.bc.yahoo.com. admedia.wsod.com. streamerapi.finance.yahoo.com. a.l.yimg.com. IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A
The Lifecycle of a Bot Network Botnet C&C Bot Master 3. Bot gets instructions from Command and Control (C&C) server Where to address the issue? 2. User visits site and is infected via drive by download Malware and becomes part of Botnet 1. Spam entices user to badsite.com 4. Steal confidential data and upload to a drop site Innocent User
Layering the Defense Use DNS to distribute real time threat information Using that: 1. Block or warn the user about spam or web pages that seek to lure the user to infection sites. Block or warn the user about downloads from malware sites. Block command and control server activities. Block exfiltration of data to known bad sites. Learn about the sites that infections access. Use that information to update the reputation feed. 2. 3. 4. 5. 6.
DNS and the Future of Cyber Defense Botnet C&C Bot Master 3 Bot gets instructions from Command and Control (C&C) server 2 User visits site and is infected via drive by download Malware and becomes part of Botnet 1 Spam entices user to badsite.com 4 Steal confidential data and upload to a drop site Innocent User
Ideal Case Network Protection Center Data Processing System Data Import System Outside Threat Source Data ISP reputation data Server log External DNS lookups Vantio DNS Servers DNS queries
Sizing Typical Case: 2 redundant DS servers Assume 50,000 users Server peak query rate 50,000 - 1,300,000 Q/S 80% handled from cache 1 query = 1 response 20% involve traffic to other servers Botnets that don t want to be found
Real Case Network Protection Center Data Processing System Data Import System Outside Threat Source Data ISP reputation data Server log External DNS lookups Vantio DNS Servers DNS queries DNS queries to GoogleDNS, OpenDNS, AkamiDNS, Hotspot tunnels
Real Sizing Sensors: Generate peak of 100-500 Mbyte/sec ? Mbytes/sec from port 53 taps? Anonymous that wants to DDOS Data Evaluation Inline that taxes server? Network center taxes backhaul (Hadoop anyone?)
Last problem(s) We can t disrupt DNS service while we experiment with data filters We may want to run multiple filters & algorithms in parallel Some reputation data is hashed; most ISPs won t let us look at the data; everyone wants attribution for blocking rules
PVM Theory 1: Privacy Bring DNSSEC protection to the user s machine. Let & encourage the user to use reputation data to edit DNS content. Let & encourage the user to outsource the operation to an ISP or other provided that user privacy is protected.
PVM Theory 2: Mechanism Think of the DNS server & Port 53 tap logic as data flow problems, or perhaps pipes Two primary types Rapid filters inline in DNS server Export to Hadoop via big buffer Provide trusted and debug environments