Proactive Network Protection Through DNS Security Insights
Exploring proactive network protection methods using DNS, security challenges, botnet threats, firewall management, malware controls, and DNS-based malware control. Discussions on DNS security vulnerabilities, DNSSEC, threat intelligence, machine learning, and best practices like RPZ for DNS protection against malicious activities like phishing, spam, and botnets. Emphasizing the importance of DNS-based security measures in combating evolving cyber threats and ensuring network resilience and integrity.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Proactive Network Protection Through DNS S. Alireza Vaziri
Today Security Challenges Methods of Network Protection DNS and DNSSEC Agenda DNS RPZ Threat Intelligence Machine Learning Classifier
Alireza Vaziri Me Network Engineer Security Practitioner
Botnets Today s Headache Spams Phishing
Worst Botnet Countries
Firewall IDPS Antivirus Patch Management Technical Malware Controls Are we secure? NO!
Resource Hungry RIP DPI Everything is Encrypted Polymorphic Malwares
NetFlow Based Botnet Detection Flow Based Analysis on malware traffic Machine Learning based prediction
afobal.cl alvoportas.com.br bestdove.in.ua blogerjijer.pw Malware Distribution URLs bright.su dau43vt5wtrd.tk domnicpeter.in.net dzitech.net fadzulani.com hruner.com
Fast DNS-Based Malware Control Cheap Easy to deploy
Stateless Query DNS is vulnerable by design Easy to hijack No integrity check RFC 3833
Answers are signed DNSSEC Resolver check integrity
Zone being updated periodically Check Query and Response for malicious records DNS RPZ (Response Policy Zone) Return bad domains with NXDOMAIN Redirect user to custom page Block C&C, Phishing, Malware
response-policy { zone "rpz"; }; $TTL 300 @ IN SOA localhost. need.to.know.only. ( 201802121 ; Serial number 60 ; Refresh every minute 60 ; Retry every minute 432000 ; Expire in 5 days 60 ) ; negative caching 1 minute IN NS LOCALHOST. BIND RPZ example.com *.example.com IN CNAME . IN CNAME .
Quad9 OpenDNS CloudFlare DNS Success Stories
Automatic Multiple Source (Blacklists) Zone Update Manually added hosts AXFR/IXFR
Local Threat Intelligence Detecting New Malicious Domain Holding Reputation Score (ASN, IP, Domain)
Alexa Rank Google Page Rank Number of subdomain Background Check Number of and . Domain age in WHOIS PTR record ASN
Shaparak.ir Protect Top Hosts from Phishing Bankmellat.ir Bmi.ir Tamin.ir
Used in Google search Fuzzy Logic
Dataset from Phishtank and RBLs Machine Learning Domain Background Check Train and Test data
Blacklist fetching Add new domains to list Fetch Extra Data Procedure Check DNS logs Train ML model
Domain Type Trusted Malicious Dataset 1000 700 KNN Classifier KNN 10 6 Train/Test 50/50 50/50 Accuracy 85.7% 82.2%
DNS RPZ is not a total solution (Domain Fronting) What is missing? RPZ cannot control direct IP connectivity RPZ cannot control URLs
Public Threat Intelligence feed What do we need? STIX, TAXII, CybOX Public Resolver Shadowserver
Publish https://github.com/aliereza/MLDNS