Role of DNS in Botnet Command and Control

OpenDNS Security Talk

The Role of DNS in Botnet Command & Control (C&C)

Please Watch the Recording via the Link Posted in the Comment Section Below for Context!

Topics DNS REFRESHER.

Domain Name System Refresher

How It Works?

STUB CLIENTS

RECURSIVE NAME SERVERS

AUTHORITATIVE NAME SERVERS

root

tld

domain.tld

REQUEST PROTOCOL

DISTRIBUTED DATABASE

So It’s a Protocol? Or a Database? No, It’s Both!

ANY DEVICE ANY APPLICATION

RECURSIVE & AUTHORIATIVE NAME SERVERS

QUERY domain name

RESPONSE e.g. IP address

RESOURCE RECORDS

e.g. domain name = IP address

Role of DNS in Internet Threats

(including Botnet C&C)

IRC, P2P and 100s more

Infected device “phones home”.

Hacker collects data via botnet controller or bot peers.

Without user interaction, confidential data leaked to p2p.botnet.cn.

DATA THEFT

DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES

ns.botnet.com = 4.4.4.4

ns.bonet.com = 4.4.4.6

ns.bonet.com = 4.4.4.5

Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses

paypalz.com = 1.1.1.1

ad.malware.cn = 2.2.2.2

p2p.botnet.com = 3.3.3.3







IP FLUX via DNS RECORDS SAME QUERY, DIFFERENT RESPONSES

paypals.com = 1.1.1.1


paypall.com = 1.1.1.1

visitmalta.cn = 2.2.2.2

maltesefalcon.cn = 2.2.2.2

maltwhisky.cn = 2.2.2.2

kjasdfaasdf.com = 3.3.3.3

kjasdfsdfsaa.com = 3.3.3.3

ijiewfsfsjst.com = 3.3.3.3

DOMAIN FLUX via DGA DIFFERENT QUERIES, SAME RESPONSE

Must Shutdown or Block All… • Content Servers. • Name Servers. … via DNS Records.

Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown

Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)

An Infected Device within On-Premises Network is Just One Vector

PROXY

ISP

Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1)

FIREWALL

PROXY


PROXY

ISP

where is 01010. cnc.tld?




FIREWALL

PROXY


PROXY

ISP


FIREWALL

PROXY





PROXY

ISP

11010. cnc.tld is at 11011

11010. cnc.tld is at 11100

11010. cnc.tld is at 01110


FIREWALL

PROXY


PROXY

ISP

11010. cnc.tld is at 11011

11010. cnc.tld is at 11100

11010. cnc.tld is at 01110


FIREWALL

DNS TUNNELING •  Bi-directional ~110kbps using TXT records. 1998 -- Concept published. 2004 -- Security community discussed. 2008 -- Security community created exploit. 2011 -- 1st documented botnet to exploit it.

PROXY

If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy!

After detection, you attempt to prevent 100%. There’s a lot of vectors, so a lot of solutions.

After preventing as much as reasonable since 100% is no longer realizable, you contain the rest.

Hackers seek fame & glory.

Malware disrupts your business.

PAST

Your highest costs are lost productivity & IT remediation time.

Cybercriminals seek fortune & politics.

Botnets penetrate your networks. And roaming & mobile devices enter your networks.

PRESENT & FUTURE

Your highest costs are leaked data & legal audit fees.

Role of DNS in Internet-Wide Security

Visualize Threats & Characterize Patterns in Big Data

Visualizing One Day’s Worth of Blocked Malware, Botnet, or Phishing Domain Requests

What’s Next for DNS-based Security? •  More domain names to track.

»  Internet still exponentially growing.

»  ICANN received 2000+ applications for new TLDs (Top-Level Domains).

•  Bigger and more complex DNS packets.

»  DNS tunneling by botnets.

»  DKIM (DomainKeys Identified Mail).

»  AAAA records for IPv6 addresses.

•  More DNS traffic.

»  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals.

»  Browsers predictively pre-caching DNS requests.

Thank You for Attending! Continue the discussion:

Email: [email protected] Twitter: @davidu

Role of DNS in Botnet Command and Control

Technology

Transcript of Role of DNS in Botnet Command and Control