Post on 30-Nov-2014
description
OpenDNS Security Talk
The Role of DNS in Botnet Command & Control (C&C)
Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
Topics DNS REFRESHER.
Domain Name System Refresher
How It Works?
STUB CLIENTS
RECURSIVE NAME SERVERS
AUTHORITATIVE NAME SERVERS
root
tld
domain.tld
REQUEST PROTOCOL
DISTRIBUTED DATABASE
So It’s a Protocol? Or a Database? No, It’s Both!
ANY DEVICE ANY APPLICATION
RECURSIVE & AUTHORIATIVE NAME SERVERS
QUERY domain name
RESPONSE e.g. IP address
RESOURCE RECORDS
e.g. domain name = IP address
Role of DNS in Internet Threats
(including Botnet C&C)
IRC, P2P and 100s more
Infected device “phones home”.
Hacker collects data via botnet controller or bot peers.
Without user interaction, confidential data leaked to p2p.botnet.cn.
DATA THEFT
DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
ns.botnet.com = 4.4.4.4
ns.bonet.com = 4.4.4.6
ns.bonet.com = 4.4.4.5
Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses
paypalz.com = 1.1.1.1
ad.malware.cn = 2.2.2.2
p2p.botnet.com = 3.3.3.3
paypalz.com = 1.1.1.2
ad.malware.cn = 2.2.2.3
p2p.botnet.com = 3.3.3.4
paypalz.com = 1.1.1.3
ad.malware.cn = 2.2.2.4
p2p.botnet.com = 3.3.3.5
IP FLUX via DNS RECORDS SAME QUERY, DIFFERENT RESPONSES
paypals.com = 1.1.1.1
paypalz.com = 1.1.1.1
paypall.com = 1.1.1.1
visitmalta.cn = 2.2.2.2
maltesefalcon.cn = 2.2.2.2
maltwhisky.cn = 2.2.2.2
kjasdfaasdf.com = 3.3.3.3
kjasdfsdfsaa.com = 3.3.3.3
ijiewfsfsjst.com = 3.3.3.3
DOMAIN FLUX via DGA DIFFERENT QUERIES, SAME RESPONSE
Must Shutdown or Block All… • Content Servers. • Name Servers. … via DNS Records.
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1)
FIREWALL
PROXY
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
where is 01010. cnc.tld?
where is 00110. cnc.tld?
where is 11010. cnc.tld?
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2)
FIREWALL
PROXY
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3)
FIREWALL
PROXY
where is 01010. cnc.tld?
where is 00110. cnc.tld?
where is 11010. cnc.tld?
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
11010. cnc.tld is at 11011
11010. cnc.tld is at 11100
11010. cnc.tld is at 01110
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4)
FIREWALL
PROXY
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
11010. cnc.tld is at 11011
11010. cnc.tld is at 11100
11010. cnc.tld is at 01110
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5)
FIREWALL
DNS TUNNELING • Bi-directional ~110kbps using TXT records. 1998 -- Concept published. 2004 -- Security community discussed. 2008 -- Security community created exploit. 2011 -- 1st documented botnet to exploit it.
PROXY
If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy!
After detection, you attempt to prevent 100%. There’s a lot of vectors, so a lot of solutions.
After preventing as much as reasonable since 100% is no longer realizable, you contain the rest.
Hackers seek fame & glory.
Malware disrupts your business.
PAST
Your highest costs are lost productivity & IT remediation time.
Cybercriminals seek fortune & politics.
Botnets penetrate your networks. And roaming & mobile devices enter your networks.
PRESENT & FUTURE
Your highest costs are leaked data & legal audit fees.
Role of DNS in Internet-Wide Security
Visualize Threats & Characterize Patterns in Big Data
Visualizing One Day’s Worth of Blocked Malware, Botnet, or Phishing Domain Requests
What’s Next for DNS-based Security? • More domain names to track.
» Internet still exponentially growing.
» ICANN received 2000+ applications for new TLDs (Top-Level Domains).
• Bigger and more complex DNS packets.
» DNS tunneling by botnets.
» DKIM (DomainKeys Identified Mail).
» AAAA records for IPv6 addresses.
• More DNS traffic.
» More persistent threats due to DIY (do-it-yourself) kits for cybercriminals.
» Browsers predictively pre-caching DNS requests.
Thank You for Attending! Continue the discussion:
Email: david@opendns.com Twitter: @davidu