Post on 17-Jan-2016
DNS Wildcards Abuse in China
----From passive DNS perspectiveNetwork Security Research Lab @QIHOO 360
Zhang Zaifeng
Agenda
• About passiveDNS.cn• What is DNS Wildcards Abuse (DWA)• How DWA operates• Measure DWA
About passiveDNS.cn
• About 10% DNS traffic in China– The First and largest public known passive DNS
database in China– Open to security community (nsp-sec, ops-trust)
• DNS requests: 900,000 q/s• From 2014-08-05 till 2015-08-26– DNS RRsets: 5.7 billion– DNS RDATAs: 17.2 billion– Unique domains: 4.6 billion
• DNS wildcard– A wildcard DNS record is a record in a DNS zone that
matches requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name. ----from wikipedia.org
– Domain is configured with a wildcard record » *.example.com IN A 1.2.3.4
– Any subdomains for zone example.com will be pointed to 1.2.3.4
What is DWA
• DNS wildcards Abuse (DWA)– Methods:• Register lots of domains• All these domains have wildcards records enabled• Most FQDN webpage has duplicate or nonsensical
contents • Most pages link or cross-refer each other
– Purpose• Black hat SEO• Possible evade firewall blocking rules
What is DWA cont.
Example• Domain style:– like DGA, but no NXDOMAINs– Random prefix subdomains– MANY (sub)domains VS SINGLE IP address
• Domain style:– MANY (sub)domains VS MULTIPLE IP addresses
Example cont.
Example cont.• Domain style:– New gTLD(science) also involves
• What’s the real webpage looks like?• The following pages show 3 different sites with similar
page structure, layout and content– All pages have some sort of medical rewards, photo of a middle
age doctor, a nice hospital facility etc.
Website 1
Website 2
Website 3
• Take a look at the page html– Here it shows: The ultimate killer team for medical DWA with its
website and customer service QQ number
– Another slogan: The newest ranking technology which circumvents search engine blocking
DWA webpage source
• General steps:– prepare domain/ Virtual Private Servers(VPS)– Pick Keywords for search engine– Generate (Fake) Original content (to be used by search engine)– Site goes live
• Prepare domain/VPS– Purchase domains– Purchase VPS– Domains go live– Generate subdomains
How it operates
• from almighty taobao.com• So cheap when a mass of domains
Purchase Domains
• Same as domain, from almighty taobao.com• So many Dedicated VPS for DWA• The industry chain is full-blown.
Purchase VPS
• Have loads of domains and corresponding VPS– Resolving them are time-consuming and very boring– No worries, there are tools to make things easier
Domains go live
• Automatic generating all kinds of subdomains according your configurations – Pinyin(拼音 ) subdomains– Random subdomains
• digits-only, alphabets-only, mix of them
Generate subdomains
• Only one type of DWA?– Absolutely NOT! – Domain shadowing
DWA Variation
• Legit DNS server took over– Gambling sites– TLDs are gov.cn which used by Chinese government.
DWA Variation cont.
• Government sites are mainly targets.– Many government sites are poor managed, attack the
registrant accounts are easy – Rank higher in search engines
• Advantages:– Economy. No need to purchase lots of domains– Efficient. Many search engines rank government sites
higher• Disadvantages:– High risk. You don’t want get caught
DWA Variation cont.
• Select and verify DWA– Select
• Domain registered in China but server IPs are located overseas• Has wildcards records• Not CDN domains/dynamic domains/popular domains(Alexa Top 100k)• Not special IPs
– Sinkhole IPs– Domain parking/reselling
• Other filters …– Verify
• data– 20150515~20150521 , 948,005 domains– 350,282 valid domains (site is live with page title)
• result– Pornographic sites: 45%– Gamble sites:15%– Misconfiguration:9%– Normal business:8%– TrafficDirectionSystem:7%– Others:16%
• And let’s see the detail statistics
How we Measure DWA
• Active domains – second level domain(SLD)– All tld:21481/day– Cn:8649/day
Measure DWA
150113 150126 150208 150221 150306 150319 150401 150414 150427 150510 150523 150605 150618 150702 150715 150731 150813 1508260
10000
20000
30000
40000
50000
60000
total_numcn_numgov_cn_numac_cn_numscience_num
• Active domains – SLD– Zoom in the ac.cn/science/gov.cn curve– About ac.cn
• ac.cn is used for academic institute in China. Avg:646/day
– About gov.cn• Gov.cn is a index which reflect the security of government sites. Avg: 67/day
– About .science• First seen at 20150403, Burst at 20150415, highest point 20150618. Avg:377/day
Measure DWA cont.
1501131501251502061502181503021503141503261504071504191505011505131505251506061506181506301507131507281508091508210
500
1000
1500
2000
2500
3000
3500
gov_cn_numac_cn_numscience_num
• Active domains – Full Qualified Domain Name(FQDN)– .Ac.cn avg:9296/day. FDQN/SLD: 15X– .gov.cn is stable . Avg:1245/day FQDN/SLD : 18.6X– .science Avg:5256/day FQDN/SLD: 14X– What’s wrong with ac.cn in 20150303?
Measure DWA cont.
150113 150126 150208 150221 150306 150319 150401 150414 150427 150510 150523 150605 150618 150701 150714 150731 150813 1508260
20000
40000
60000
80000
100000
120000
140000
160000
gov_cn_numac_cn_numscience_num
• Active domains – FQDN– The spike of ac.cn at 20150302~20150304
• About 50 SLDs, which had large number of sub-domains had same style, just like following:
Measure DWA cont.
• Active domains – SLD– Other new gTLDs(exclude .science)
• top(4080/day), xyz(384/day), party(259/day), club(165/day),website(43/day)
Measure DWA cont.
150703
150705
150707
150710
150712
150714
150718
150721
150723
150725
150727
150729
150731
150802
150804
150806
150808
150810
150812
150814
150816
150818
150820
150822
150824
1508260
1000
2000
3000
4000
5000
6000
7000
8000
xyztoppartyclubwebsite
• Active Servers IPs– Avg:15,082/day
Measure DWA cont.
150114 150127 150209 150222 150307 150320 150402 150415 150428 150511 150524 150606 150619 150703 150718 150801 1508140
5000
10000
15000
20000
25000
30000
uniq_ip_num
uniq_ip_num
• Sever IP distribution– 83% located in US– 13% located in HK, Japan and Taiwan– Top 10 ASn: 68% , 8/10 ASn located in US, 2/10 ASn located in HK.
Measure DWA cont.
20%
12%
12%
5%4%3%
3%3%
3%2%
2%2%1%
26%
IP distribution/ASnAS18978 Enzu Inc
AS15003 Nobis Technology Group
AS40676 Psychz Networks
AS20248 Take 2 Hosting, Inc.
AS35908 Krypt Technologies
AS38197 Sun Network (HK) LLC
AS54600 PEG TECH INC
AS53755 Input Output Flood LLC
AS18779 EGIHosting
AS17444 New World Telephone
AS8100 QuadraNet, Inc
AS22552 eSited Solutions
AS17139 Corporate Colocation Inc.
otherUS
83%
HK11%
JP1%
TW1%
other4%
IP distribution/country
US
HK
JP
TW
other
Measure DWA cont.
• Life time distribution– 86% FQDN’s life less than one day– 42% SLD’s life less than one day
[0,1)86%
[1,7)5%
[7,32)3%
[32,)6%
FQDN_num/lived_days
[0,1)
[1,7)
[7,32)
[32,)
[0,1)42%
[1,7)18%
[7,32)14%
[32,)25%
SLD_num/lived_days
[0,1)
[1,7)
[7,32)
[32,)
Measure DWA cont.
• Domain access count distribution– 70% of the SLD, DNS requests less than 100.– 88% of the SLD, DNS requests less than 500.
(5000,)2%
(1000,5000]5%
(500,1000]4%
(100,500]18%
(0,100]70%
SLD_access_count
(5000,)(1000,5000](500,1000](100,500](0,100]
Measure DWA cont.
• Conclusion– DWA is popular – But, as a SEO trick, works not so good.
• From DNS request number and domain’s life time• From the slogan of “狗小云站群” (one of the DWA software’s
provider, http://q8888q.com/)– the only effectual DWA software all of the web
• Why so big scale, some reasons(maybe)– Not every webmaster know this conclusion.– Not just for SEO.
• Some type of domain flux• evade the FW/IPS/WAF’s blocking policy
reference• https://passivedns.cn• http://baike.baidu.com/view/3166471.htm• http://baike.baidu.com/view/8794895.htm• http://www.hxzhanqun.cn/shipinyanshi/• http://www.iisp.com/ztview/F_d020.html?s=netcn• http://www.cnkuai.cn/domain/domain_en_ac_cn.htm• http://www.163ns.com/help/495.html• http://www.royotech.com/pages/toolbox/articles/web/15.php• http://www.famousfourmedia.com/science/• http://register.science/• http://www.alpnames.com/• http://www.freehao123.com/alpnames-register-science/• http://q8888q.com/• http://tools.ietf.org/html/rfc4592• http://www.thesempost.com/google-dislikes-zombie-sub-domains/• http://www.kevstrong.com/technology/avoiding-ghost-sub-domains-and-duplicate-content/