Merike Kaeo-Multivariate Solutions to Passive DNS Challenges-威胁情报技术与趋势论坛

MultivariateSolutionsto

PassiveDNSChallenges

MerikeKaeo

CTOFarsightSecurity

merike@fsi.io

Agenda

•TypicalPassiveDNSUse

•PassiveDNSChallenges

•MultivariateSolutions

•UnderstandingWHOISandGeolocation

•MaliciousCampaignsduringPublicEvents

TYPICALPASSIVEDNS

USES

HowPassiveDNSNormallyWorks

•Startwithaknown/observedbaddatapoint

•Domainname

•Nameserver

•IPaddress/CIDR

•ASN

•UsePassiveDNStofindotherIPsordomainnamesthatsharethesameresources

•Leveragereputationlocalitybutcarefullyreviewwhatyou’vefound

UNIvariateApproaches

•Useasinglepointofcommonalityasawaytoidentifyrelateddomains

•SAMEexactIP?

•SAMEexactnameserver?

•SAMEexactdomainnameusedovertime(ifyouareinterestedinthesetofIPsthatanamehasbeenusing)

•Eachreliesonasingleattribute,exactlymatched

SimplepDNSWorksWellWhen….

•ManyrelateddomainscoexistonasingleIP(orsmallCIDRblock),withnoinnocent3rdpartydomains

•Manyrelateddomainsusethesamesetofdedicatednameservers,withnoinnocent3rdpartydomains

•Themalicioususerisapparentlystubbornlyfondofafavoritedomain

PASSIVEDNS

CHALLENGES

WhenSimplepDNSDoesNOTWork

•ZEROinterrelateddatapoints–e.g.“lonewolf”domainnames,IPaddresses,nameservers,etc.

•Toomanyrelatedresources

•Maliciousresourcesarecomingledwithinnocent3rdpartyresources

LoneWolfScenario

ThecybercriminalreusesNOTHINGacrosssites

•EveryIPaddressusedtosendSPAMorhostcontentistotallyunrelatedtoanyotherIpsthecriminaluses

•Everydomainnameisregisteredusing:

•Adiverseassortmentofregistrars,oneortwoatatime

•Uniquenameservers(installedandoperatedonuniqueIPs)

•Unique/fictitious(orconcealed)POCdetails

•Unique(oranonymous)paymentdetails

PoorlyDocumentedResourceAssignments

•Example#1:ProviderfailstodocumentIPreassignments/reallocationsinIPWHOISorrWHOIS,andanabuserrepeatedlymoves(orismoved)aroundasinglelargenetworkblock,oramongmultiplesmallerblocks.

•Example#2:WHOISPOCdetailsareconcealedbyaWHOISproxy/privacyservice

OvercomingObfuscation

•Lookforothercharacteristicsthatmaynotbeobfuscated,orseektostripawayanonymity

•Examples

•Ifnameserversservicealargenumberofdomains,andthusarenotausefulattributetotrytofollow,lookattheIPaddress(es)thebaddomainishostedon,instead.

•Ifadomainisdemonstrablyengagedinphishingorotherclearlyillegalbehavior,someprivacy/proxyprotectionserviceshavetermsofservicewhichallowtheprovidertounilaterallystripprivacyprotections.

OvercomingReverseProxies

•WithReverseProxies,everythingseemsto“liveonthereverseproxy’sIPaddresses”

•Carefullyscrutinizenon-A/non-AAAADNSrecordsthatmaybepresent(e.g.MX,TXT,etc)

•Reverseproxyoperatorsarealsopotentiallyaterrifictargetbylawenforcement

PerformanceMarketingURLs

•EncodedURLs,uniquetoeachspecificrecipient

•BecauseeachURLisuniquetoeachrecipient,visitingtheURL(typicallytoinvestigatethesitebeingspamvertised)means:

•Confirmingyou'veopenedthemessageandclickedthrough(establishingapotentialargumentthatyou've"opted-in")

•Mayresultinyou"using-up"aURLcodedforone-time-use(trythesameURLa2ndor3rdtime?Itmaygonowhere)

•Forwarding"sanitized"spamplesincomplaintsmayyieldURLsthatsimplydon'twork,orwhichwork"misleadingly."

•Forwarding"rawspamplesincomplaints"outs"yourspamcollectioninfrastructureandmayresultin"listwashing.”

MULTIVARIATE

SOLUTIONS

PointsInAnn-DimensionalSpace

•Inamultivariateapproachwelookatmorethanonemeasurementatthesametime

•Thisallows“interactions”tobeaccountedfor

•xbyitself?okay

•ybyitself?okay

•xandycombinedtogether?DoesNOTwork!

•NOTcombiningmultipleattributesintoasinglescore,comparedagainstathreshold(SPamAssassinstyle)

•NOTjustsuccessiveapplicationofindependentunivariatefilters,either

ASimpleTwo-DNormalDistribution

/wiki/File:Multivariate_normal_sample.svg

TheDataWeHave

•CurrentlypassiveDNScapturesdataaboutthreemaintypesofDNS-relatedentities:

•Names

•IPs

•NameServers

•Noneofthatisbeautifulcontinuousdata

•Ifyouattempttovisualizeit,itwillNOTlookliketheprettygraphontheprecedingpage

Statisticaloptionsfornominaldata

arelimited:youcandocrosstabs,but(a)that'snotverystatistically"sexy,"and(b)interpretation

becomeshardasthetablesizeincreases

AugmentingClassispDNS

•CombinepassiveDNSdatawithothernon-DNSdatatogo“multivariate”

•Non-DNSdatacouldbepre-existingdatasuchasdomainWHOISorIPWHOISdata

•CollectnewdatatoaugmentpassiveDNSdataset(whereactivescanningisallowedbylawandbyyournetworktermsofservice)

•Forexample,fingerprint/scanhostswithNMAPorasimilarscanningtooltoseewhatpatternsofports(ifany)areopenonarangeofIPaddresses

UNDERSTANDINGWHOIS

andGEOLOCATION

RegisteringaDomainName-WHOIS

•Createanewdomainname

•Specifythedomainyouwanttoregister

•Provide(supposedlyaccurate)pointofcontact(POC)details

•DecideifyouwanttohavethosePOCdetails“unlisted”throughuseofaprivacy/proxyregistrationservice

•DefinetheauthoritativenameserversthatknowhowtomapyourdomainstotheIPaddress(es)ofyourserver

•Payanannualfeetotheregistrar

•POCinformationandrelateddetailsaboutmostdomainsgetaddedtoanonlinedatabase-WHOIS

WHOISandRealWorldIdentities

•Cluestoregistrant“realworld”identityinWHOIS

•Theirname(butclaimednamemaybebogus,orsomeoneelse’snameusedwithoutauthorization)

•Astreetaddress(canbea3rdpartymaildrop,incomplete,fictitious,etc)

•Aphonenumber(maybeaprepaid“burner”phone)

•Anemailaddress(maybethrowawayandonlyusedonce)

•Ifyouhavetheabilitytogetacourtorder

•Theircreditcardnumber(maybestolenorprepaidorpaidusingBitcoin)

•AnIPaddressformwhichtheyplacedtheirorder,etc.

Proxy/PrivacyServices

•Proxy/privacyprotectionmaybefree(bundledwithadomain’sregistration),orofferedasanextracostservice

•Proxy/privacyservicesallowregistrantstoconcealtheircontactdetailsfrompublicdisplay

•Evenifused,LEOscanstillseekacourtordertostripadomain’sproxy/privacystatusortodirectlyobtainunderlyingdetails(butthiscanbeapainandunderlyingdetailsmaystillbebogusorrequireadditional

deobfuscation)[/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html]

•Someproxy/privacyserviceprovidersmayhaveTOSwhichallowthemtounilaterallyremoveprotectionsforadomain(ifadomainisobviouslybeingmisused,e.g.forphishingorSPAM)

Geo-LocationServices

•IPaddressesmayhaveanassociatedgeolocation(fromIPWHOIS)

•IPaddressesmayALSOhaveanassociatedgeolocationfromageoIPdatabase

•Domainsmayhaveanassociatedgeolocation(fromdomainWHOIS)

•IPaddressesmayhaveanassociategeolocationduetouseofacountrycodeTLD

Inconsistenciesmaybeinnocentorasignofsomethingworthscrutiny

ccTLDs

•ICANNadministersglobaltopleveldomains(gTLDs)suchas.com,.net,.org,.biz,.info,etc.)ICANNrequiresWHOISservice(althoughtheypermitprivacy/proxyregistrations)

•CountrycodeTLDs(ccTLDs)arerunaccordingtotheirownrules.SomeofthemhavepolicieswhichlimitpublicaccesstotheWHOISdataforany/alloftheirdomains[*IF*theWHOISinformationactuallyexists]

•WHOISinformationmayonlybeavailableandusablebyregisteredusers

•SomeWHOISinformationmaybedisplayedingraphicalformattohinderautomated“scraping”/cut-n-pastingofWHOISdata

•WHOISaccessmaybestrictlyratelimited,withaccessslowedorblockedaltogetherafterjustahandfulofdomainsarecheckedfromthesameIPaddress

MALICIOUSCAMPAIGNS

DURINGPUBLICEVENTS

Getting‘Simple’pDNSData

$nmsgtool-Cch208-c5000000|greprrname|awk'{print$2}'|sed's/.$//’|grep"olym"|grep-v"polymer">olymp.txt

$reverse-domain-names<olymp.txt|sort|uniq-c|sort-nr>temp-olym.txt

com.rio-2016-olympics-live.www

com.nbcolympics

ru.club-olymp

ernet-olympiade

com.olympicbiofeedback

com.olympianeagleathletics

za.co.olympicpaints

.top-olympia

ru.winterolympics2014

ru.winterolympic-2014

ru.cityolympic

hu.olympingaruhaz

edu.tjhsst.olympus

de.mathematik-olympiaden

net.freakolympics.www

com.olympusrugby

com.olympusdl

com.olymposgozleme

com.franceolympique.cotedor

com.dealsaver.olympia

com.catsummerolympics

.olympicssports

NewlyObservedDomainNames(NOD)

•Mostnewdomains(<24hours)arenefarious

•60%ofSPAMstudiedusedheaderorenvelopedomain<24hoursold

•Mostnewdomainsdon’tyethaveareputation

•NODasStreams(newlyactivevsnewlyobserved)

•NODasFeeds(RPZ–DNSFirewall;RHSBL–SpamAssassin)

•Variousintervalsavailable(5m,10m,30m,1hr,6hr,12hr,24hr)

•

•

•

•

•

•

•

•

•

•

•

•

NOD(Aug

1363288-irish-executive-arrested-in-rio-olympics-ticket-raid[dot]page

derelict-and-deserted-the-ghost-of-former-olympic-sites[dot]page

helen-skelton-strictly-come-dancing-olympics-bbc[dot]page

olympic-council-of-ireland-employee-arrested-in-ticket-raid[dot]page

olympic-diving-pool-turns-green-and-baffles-competitors[dot]page

olympic-rio-gang-steal-dog-pet[dot]page

Olympicsgames[dot]club

rio-2016-diving-pool-green-olympics-tom-daley[dot]page

rio-olympics-gymnast-breaks-leg-video[dot]page

Rio2016olympics[dot]today

rio-olympics2016[dot]online

Rioolympics2016[dot]today

10-11,2016)

•Rioolympicsgame[dot]club

•Rioolympics[dot]solutions

•Rioolympics[dot]space

•Rioolympics[dot]tech

•Riosportsolympics[dot]online

•Olympicsrio2016[dot]online

•Olympicsrio2016[dot]today

•Watchbrazilolympics[dot]online

•watch-olympics16-livesnow[dot]ga

•Watchtheolympics[dot]online

•Winterolympics2018[dot]xyz

•Winterolympics[dot]press

NOD(Aug10-11,2016)

•

•

•

•

•

•

•

•

•

•

•

•

Dolympic]dot]de

Esportolympics[dot]nl

Esportsolympics[dot]nl

Jordan72016olympic[dot]cc

Olympicamsterdam[dot]nl

Olympicbikes[dot]nl

Olympiccasino[dot]nl

Olympicconsultants[dot]nl

Olympiccrowdfunding[dot]de

Olympiccrowdfunding[dot]nl

Olympicentertainment[dot]nl

Olympicgamesnews[dot]de

•Olympichub[dot]nl

•Olympicit[dot]nl

•olympic-klasse[dot]de

•olympic-land[dot]de

•olympic-land[dot]nl

•Olympicland[dot]nl

•Olympicnews[dot]io

•Olympicoffers[dot]de

•olympic-parc[dot]de

•olympic-parc[dot]nl

•Olympicpetfood[dot]nl

•olympic-travel[dot]de

•Olympicycles[dot]nl

•Radiolympic[dot]nl

•Radiolympics[dot]nl

•Sociolympic[dot]nl

•Sociolympics[dot]nl

•Specialolympics2017[dot]nl

•Theolympic[dot]nl

•Theolympicstandard[dot]biz

•Usolympicsnews[dot]com

•Vrolympics[dot]cn

•Winterolympic2018[dot]net

Example1:WHOISandGeoIP

Queriesfrom:

Example2:WHOISandGeoIP

merike@pDNS:~$domain