Merike Kaeo-Multivariate Solutions to Passive DNS Challenges-威脅情報(bào)技術(shù)與趨勢(shì)論壇

MultivariateSolutionsto

PassiveDNSChallenges

MerikeKaeo

CTOFarsightSecurity

merike@fsi.io

Agenda

?TypicalPassiveDNSUse

?PassiveDNSChallenges

?MultivariateSolutions

?UnderstandingWHOISandGeolocation

?MaliciousCampaignsduringPublicEvents

TYPICALPASSIVEDNS

USES

HowPassiveDNSNormallyWorks

?Startwithaknown/observedbaddatapoint

?Domainname

?Nameserver

?IPaddress/CIDR

?ASN

?UsePassiveDNStofindotherIPsordomainnamesthatsharethesameresources

?Leveragereputationlocalitybutcarefullyreviewwhatyou’vefound

UNIvariateApproaches

?Useasinglepointofcommonalityasawaytoidentifyrelateddomains

?SAMEexactIP?

?SAMEexactnameserver?

?SAMEexactdomainnameusedovertime(ifyouareinterestedinthesetofIPsthatanamehasbeenusing)

?Eachreliesonasingleattribute,exactlymatched

SimplepDNSWorksWellWhen….

?ManyrelateddomainscoexistonasingleIP(orsmallCIDRblock),withnoinnocent3rdpartydomains

?Manyrelateddomainsusethesamesetofdedicatednameservers,withnoinnocent3rdpartydomains

?Themalicioususerisapparentlystubbornlyfondofafavoritedomain

PASSIVEDNS

CHALLENGES

WhenSimplepDNSDoesNOTWork

?ZEROinterrelateddatapoints–e.g.“l(fā)onewolf”domainnames,IPaddresses,nameservers,etc.

?Toomanyrelatedresources

?Maliciousresourcesarecomingledwithinnocent3rdpartyresources

LoneWolfScenario

ThecybercriminalreusesNOTHINGacrosssites

?EveryIPaddressusedtosendSPAMorhostcontentistotallyunrelatedtoanyotherIpsthecriminaluses

?Everydomainnameisregisteredusing:

?Adiverseassortmentofregistrars,oneortwoatatime

?Uniquenameservers(installedandoperatedonuniqueIPs)

?Unique/fictitious(orconcealed)POCdetails

?Unique(oranonymous)paymentdetails

PoorlyDocumentedResourceAssignments

?Example#1:ProviderfailstodocumentIPreassignments/reallocationsinIPWHOISorrWHOIS,andanabuserrepeatedlymoves(orismoved)aroundasinglelargenetworkblock,oramongmultiplesmallerblocks.

?Example#2:WHOISPOCdetailsareconcealedbyaWHOISproxy/privacyservice

OvercomingObfuscation

?Lookforothercharacteristicsthatmaynotbeobfuscated,orseektostripawayanonymity

?Examples

?Ifnameserversservicealargenumberofdomains,andthusarenotausefulattributetotrytofollow,lookattheIPaddress(es)thebaddomainishostedon,instead.

?Ifadomainisdemonstrablyengagedinphishingorotherclearlyillegalbehavior,someprivacy/proxyprotectionserviceshavetermsofservicewhichallowtheprovidertounilaterallystripprivacyprotections.

OvercomingReverseProxies

?WithReverseProxies,everythingseemsto“l(fā)iveonthereverseproxy’sIPaddresses”

?Carefullyscrutinizenon-A/non-AAAADNSrecordsthatmaybepresent(e.g.MX,TXT,etc)

?Reverseproxyoperatorsarealsopotentiallyaterrifictargetbylawenforcement

PerformanceMarketingURLs

?EncodedURLs,uniquetoeachspecificrecipient

?BecauseeachURLisuniquetoeachrecipient,visitingtheURL(typicallytoinvestigatethesitebeingspamvertised)means:

?Confirmingyou'veopenedthemessageandclickedthrough(establishingapotentialargumentthatyou've"opted-in")

?Mayresultinyou"using-up"aURLcodedforone-time-use(trythesameURLa2ndor3rdtime?Itmaygonowhere)

?Forwarding"sanitized"spamplesincomplaintsmayyieldURLsthatsimplydon'twork,orwhichwork"misleadingly."

?Forwarding"rawspamplesincomplaints"outs"yourspamcollectioninfrastructureandmayresultin"listwashing.”

MULTIVARIATE

SOLUTIONS

PointsInAnn-DimensionalSpace

?Inamultivariateapproachwelookatmorethanonemeasurementatthesametime

?Thisallows“interactions”tobeaccountedfor

?xbyitself?okay

?ybyitself?okay

?xandycombinedtogether?DoesNOTwork!

?NOTcombiningmultipleattributesintoasinglescore,comparedagainstathreshold(SPamAssassinstyle)

?NOTjustsuccessiveapplicationofindependentunivariatefilters,either

ASimpleTwo-DNormalDistribution

/wiki/File:Multivariate_normal_sample.svg

TheDataWeHave

?CurrentlypassiveDNScapturesdataaboutthreemaintypesofDNS-relatedentities:

?Names

?IPs

?NameServers

?Noneofthatisbeautifulcontinuousdata

?Ifyouattempttovisualizeit,itwillNOTlookliketheprettygraphontheprecedingpage

Statisticaloptionsfornominaldata

arelimited:youcandocrosstabs,but(a)that'snotverystatistically"sexy,"and(b)interpretation

becomeshardasthetablesizeincreases

AugmentingClassispDNS

?CombinepassiveDNSdatawithothernon-DNSdatatogo“multivariate”

?Non-DNSdatacouldbepre-existingdatasuchasdomainWHOISorIPWHOISdata

?CollectnewdatatoaugmentpassiveDNSdataset(whereactivescanningisallowedbylawandbyyournetworktermsofservice)

?Forexample,fingerprint/scanhostswithNMAPorasimilarscanningtooltoseewhatpatternsofports(ifany)areopenonarangeofIPaddresses

UNDERSTANDINGWHOIS

andGEOLOCATION

RegisteringaDomainName-WHOIS

?Createanewdomainname

?Specifythedomainyouwanttoregister

?Provide(supposedlyaccurate)pointofcontact(POC)details

?DecideifyouwanttohavethosePOCdetails“unlisted”throughuseofaprivacy/proxyregistrationservice

?DefinetheauthoritativenameserversthatknowhowtomapyourdomainstotheIPaddress(es)ofyourserver

?Payanannualfeetotheregistrar

?POCinformationandrelateddetailsaboutmostdomainsgetaddedtoanonlinedatabase-WHOIS

WHOISandRealWorldIdentities

?Cluestoregistrant“realworld”identityinWHOIS

?Theirname(butclaimednamemaybebogus,orsomeoneelse’snameusedwithoutauthorization)

?Astreetaddress(canbea3rdpartymaildrop,incomplete,fictitious,etc)

?Aphonenumber(maybeaprepaid“burner”phone)

?Anemailaddress(maybethrowawayandonlyusedonce)

?Ifyouhavetheabilitytogetacourtorder

?Theircreditcardnumber(maybestolenorprepaidorpaidusingBitcoin)

?AnIPaddressformwhichtheyplacedtheirorder,etc.

Proxy/PrivacyServices

?Proxy/privacyprotectionmaybefree(bundledwithadomain’sregistration),orofferedasanextracostservice

?Proxy/privacyservicesallowregistrantstoconcealtheircontactdetailsfrompublicdisplay

?Evenifused,LEOscanstillseekacourtordertostripadomain’sproxy/privacystatusortodirectlyobtainunderlyingdetails(butthiscanbeapainandunderlyingdetailsmaystillbebogusorrequireadditional

deobfuscation)[/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html]

?Someproxy/privacyserviceprovidersmayhaveTOSwhichallowthemtounilaterallyremoveprotectionsforadomain(ifadomainisobviouslybeingmisused,e.g.forphishingorSPAM)

Geo-LocationServices

?IPaddressesmayhaveanassociatedgeolocation(fromIPWHOIS)

?IPaddressesmayALSOhaveanassociatedgeolocationfromageoIPdatabase

?Domainsmayhaveanassociatedgeolocation(fromdomainWHOIS)

?IPaddressesmayhaveanassociategeolocationduetouseofacountrycodeTLD

Inconsistenciesmaybeinnocentorasignofsomethingworthscrutiny

ccTLDs

?ICANNadministersglobaltopleveldomains(gTLDs)suchas.com,.net,.org,.biz,.info,etc.)ICANNrequiresWHOISservice(althoughtheypermitprivacy/proxyregistrations)

?CountrycodeTLDs(ccTLDs)arerunaccordingtotheirownrules.SomeofthemhavepolicieswhichlimitpublicaccesstotheWHOISdataforany/alloftheirdomains[*IF*theWHOISinformationactuallyexists]

?WHOISinformationmayonlybeavailableandusablebyregisteredusers

?SomeWHOISinformationmaybedisplayedingraphicalformattohinderautomated“scraping”/cut-n-pastingofWHOISdata

?WHOISaccessmaybestrictlyratelimited,withaccessslowedorblockedaltogetherafterjustahandfulofdomainsarecheckedfromthesameIPaddress

MALICIOUSCAMPAIGNS

DURINGPUBLICEVENTS

Getting‘Simple’pDNSData

$nmsgtool-Cch208-c5000000|greprrname|awk'{print$2}'|sed's/.$//’|grep"olym"|grep-v"polymer">olymp.txt

$reverse-domain-names<olymp.txt|sort|uniq-c|sort-nr>temp-olym.txt

com.rio-2016-olympics-live.www

com.nbcolympics

ru.club-olymp

ernet-olympiade

com.olympicbiofeedback

com.olympianeagleathletics

za.co.olympicpaints

.top-olympia

ru.winterolympics2014

ru.winterolympic-2014

ru.cityolympic

hu.olympingaruhaz

edu.tjhsst.olympus

de.mathematik-olympiaden

net.freakolympics.www

com.olympusrugby

com.olympusdl

com.olymposgozleme

com.franceolympique.cotedor

com.dealsaver.olympia

com.catsummerolympics

.olympicssports

NewlyObservedDomainNames(NOD)

?Mostnewdomains(<24hours)arenefarious

?60%ofSPAMstudiedusedheaderorenvelopedomain<24hoursold

?Mostnewdomainsdon’tyethaveareputation

?NODasStreams(newlyactivevsnewlyobserved)

?NODasFeeds(RPZ–DNSFirewall;RHSBL–SpamAssassin)

?Variousintervalsavailable(5m,10m,30m,1hr,6hr,12hr,24hr)

?

?

?

?

?

?

?

?

?

?

?

?

NOD(Aug

1363288-irish-executive-arrested-in-rio-olympics-ticket-raid[dot]page

derelict-and-deserted-the-ghost-of-former-olympic-sites[dot]page

helen-skelton-strictly-come-dancing-olympics-bbc[dot]page

olympic-council-of-ireland-employee-arrested-in-ticket-raid[dot]page

olympic-diving-pool-turns-green-and-baffles-competitors[dot]page

olympic-rio-gang-steal-dog-pet[dot]page

Olympicsgames[dot]club

rio-2016-diving-pool-green-olympics-tom-daley[dot]page

rio-olympics-gymnast-breaks-leg-video[dot]page

Rio2016olympics[dot]today

rio-olympics2016[dot]online

Rioolympics2016[dot]today

10-11,2016)

?Rioolympicsgame[dot]club

?Rioolympics[dot]solutions

?Rioolympics[dot]space

?Rioolympics[dot]tech

?Riosportsolympics[dot]online

?Olympicsrio2016[dot]online

?Olympicsrio2016[dot]today

?Watchbrazilolympics[dot]online

?watch-olympics16-livesnow[dot]ga

?Watchtheolympics[dot]online

?Winterolympics2018[dot]xyz

?Winterolympics[dot]press

NOD(Aug10-11,2016)

?

?

?

?

?

?

?

?

?

?

?

?

Dolympic]dot]de

Esportolympics[dot]nl

Esportsolympics[dot]nl

Jordan72016olympic[dot]cc

Olympicamsterdam[dot]nl

Olympicbikes[dot]nl

Olympiccasino[dot]nl

Olympicconsultants[dot]nl

Olympiccrowdfunding[dot]de

Olympiccrowdfunding[dot]nl

Olympicentertainment[dot]nl

Olympicgamesnews[dot]de

?Olympichub[dot]nl

?Olympicit[dot]nl

?olympic-klasse[dot]de

?olympic-land[dot]de

?olympic-land[dot]nl

?Olympicland[dot]nl

?Olympicnews[dot]io

?Olympicoffers[dot]de

?olympic-parc[dot]de

?olympic-parc[dot]nl

?Olympicpetfood[dot]nl

?olympic-travel[dot]de

?Olympicycles[dot]nl

?Radiolympic[dot]nl

?Radiolympics[dot]nl

?Sociolympic[dot]nl

?Sociolympics[dot]nl

?Specialolympics2017[dot]nl

?Theolympic[dot]nl

?Theolympicstandard[dot]biz

?Usolympicsnews[dot]com

?Vrolympics[dot]cn

?Winterolympic2018[dot]net

Example1:WHOISandGeoIP

Queriesfrom:

Example2:WHOISandGeoIP

merike@pDNS:~$domain