A Centralized Monitoring Infrastructure For Improving DNS ... Antonakakis.pdf · A Monitoring...
Transcript of A Centralized Monitoring Infrastructure For Improving DNS ... Antonakakis.pdf · A Monitoring...
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
A Centralized Monitoring Infrastructure ForImproving DNS Security
Manos Antonakakis David Dagon Luo “Daniel” XiapuRoberto Perdisci Wenke Lee Justin Bellmor
Georgia Institute of TechnologyInformation Security Center
Atlanta, Georgia
RAID, Ottawa, 2010
1 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Outline and Credits
Challenges in DNSpoisoning detection
Previous work
Describing the attackvector
Methodology
DNS poisoningdetection
Summary
Robert Edmonds and Paul Royalfor their useful comments
Chis Lee and the GT-OIT stuff forthe abuse handling
SIE@ISC: Paul and Eric scanpoint (SJ) and pDNS
CIRA: Norm and Matthew scanpoint in Canada
2 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
3 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
4 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
5 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
6 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
7 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
8 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
9 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Challenges in DNS poisoning detection
DNS poisoning is a successful attack vector (thanks Dan!)
Detection requires “on path” with the recursive and/or DNScache observation
DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:
Counts patterns of ICMP(3,3) and qr/rd ratios
So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques
10 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
A Monitoring Infrastructure For DNS Security
What “Anax” does : requests, records and analyzes DNSrecords from a large set of open-RDNS around the globe,looking for DNS cache abnormalities
Since Anax can detect poisonous RRs in Internet scalemeasurements, the system can do the same in a lessdiverse set of RDNSs, e.g., those in a single organization
11 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
A Monitoring Infrastructure For DNS Security
What “Anax” does : requests, records and analyzes DNSrecords from a large set of open-RDNS around the globe,looking for DNS cache abnormalities
Since Anax can detect poisonous RRs in Internet scalemeasurements, the system can do the same in a lessdiverse set of RDNSs, e.g., those in a single organization
12 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
13 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
14 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
15 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
16 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
17 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Some of the previous work ...
DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007
DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008
DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention
DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009
18 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poisoning
Understanding the attack vector
19 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poisoning
How DNS works?
20 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poisoning
Basic DNS Poisoning
Recursive request qname, it mustwait RTT periodBefore answer returns from theSOA, attacker can flood poisonousanswers
Each spoofed answer attemptsanother ID field guessIf 200ms RTT, ≈ 13,000 spoofedpackets can be sentID field is 16 bits, or 65K values
Besides ID field, other entropyshould be used (SPR-0x20)
21 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poisoning
Kaminsky Class of DNS Poisoning
22 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
Methodology
23 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
The Big Picture
Raw DNSData Collector
[2]
[3]
[5]
DNS Scanning Points
[1]
Anax Poisoning Detection System
DNS Scanning Engine
[4]
Anax Data Preparation Engine
OFF-LINE Mode (Training)
Anax Poisoning Detection Engine
Anax DB
ON-LINE Mode
Poisoning
Alert[6]
.
.
.
.
.
.
24 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
Scanning Protocol
Open Recursive DNS
Anax's DNS Scanning Point
ANS for example.com
A ? example.com A ? example.com
example.com IN A 192.0.32.10
example.com IN A 192.0.32.10
Probing Protocol1x A ? control_case.com1x A ? <rand >.control_case.com2x A ? example.com1x A ? <rand >.example.com3x {NS,MX,4A} ? example.com
IPs will be used for Anax detection system, the remainingRDATA for manual labeling and temporal measurements 25 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
Scanning Engine and Data Collection
Scan EngineOpen-recursive DNS servers Selection (300,000)Domain name lists (131 unique 2LDs based on top Alexazones)Constant eight-months ORDNS (rotating) probing from twoscanning points
2+6 total queries per ORDNSWhat we collect in the “Raw Data Collector”
RDNS-DATE-DN | DN-IP mappings from all recorded RRsRDNS-DATE-DN | DN-RDATA mappings from all recordedRRs
26 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
Scanning Engine and Data Collection
Scan EngineOpen-recursive DNS servers Selection (300,000)Domain name lists (131 unique 2LDs based on top Alexazones)Constant eight-months ORDNS (rotating) probing from twoscanning points
2+6 total queries per ORDNSWhat we collect in the “Raw Data Collector”
RDNS-DATE-DN | DN-IP mappings from all recorded RRsRDNS-DATE-DN | DN-RDATA mappings from all recordedRRs
27 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
ORDNS Selection
CC #ORDNS #ASs #CIDRsUS 116213 3785 14340CN 34778 90 2574JP 20147 329 1760NL 17651 172 483FR 16261 164 482KR 14822 326 1316IT 12824 204 569GB 9587 414 952DE 9441 408 818SE 9119 113 355
A summary of the diverse scanning targets. The table shows the top10 countries in ORDNS participation through our scanning list, aswell as the network diversity for each ORDNS (per country code)down to the ASs and CIDRs granularity.
28 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
New RRs During Scanning (agile/CDN enabled zones)
0.8
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
0 10 20 30 40 50 60 70 80 90 100
CD
F
Days
bestbuy.comamazon.com
blogger.comebay.com
0 10 20 30 40 50 60 70 80 90
100
0 50 100 150 200 250
Vol
ume
Days
29 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
ORDNS Network and Geographic LocationRR Discovery Trends
New RRs During Scanning (less diverse zones)
0.8
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
0 10 20 30 40 50 60 70 80
CD
F
Days
capitalone.comchase.com
citibank.comfedex.com
0 10 20 30 40 50 60 70 80
0 50 100 150 200 250
Vol
ume
Days
30 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
DNS Poisoning Detection
31 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
Detection Flow in Anax - CIDR Analysis Module
Poisoning Alert
DB Check
AnaxDB
RR(s)
CIDR AnalysisModule
Anax 2-ClassClassifier
Poisoning?
No - L[0,1,2]
Yes
No
Not in Anax DB
Poisoning?
Yes - L[3] L[4] - Unknown
32 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
CIDR Analysis Module
CIDR white list (L0)Probe ORDNS from major ISPs in USHand verify the RRsets and IPs from the answersWhite list the min CIDR per any legit IP
Mis-configurations (L1), NX-RW (L2), DNS-proxy (L2)Probe from a Domain Name we controlAny ORDNs giving back wrong answers is marked as:
Mis-Configuration iff IP in RFCs 1918 and 3330DNS-Proxy iff fpdns denotes that (i.e., Vermicelli totd ,TinyDNS, etc.)NX-Domain RW iff they provide answers to non-existencedomains
Poisoning: IP in BLs or manual verification (L3)The Team Cymru Bogons (do-not-route) listSpamhaus drop.lasso or PBL list
33 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
Detection flow in Anax - The 2-Class Classifier
Poisoning Alert
DB Check
AnaxDB
RR(s)
CIDR AnalysisModule
Anax 2-ClassClassifier
Poisoning?
No - L[0,1,2]
Yes
No
Not in Anax DB
Poisoning?
Yes - L[3] L[4] - Unknown
34 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
2-Class Classifier
Key goal: try to model known benign vectorsAccess SIE passive DNS feed so we can compute thefollowing statistical feature vector (6 dimensions):
Domain name diversity{2,3}LD diversityCDN occurrenceDomain of interest participation (i.e., google.com)Special domain of interest participation (i.e., google)
35 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
Experimental Setup
Data collection for 8 months based on the scanningprotocol
Two first months (01/2009 and 02/2009) training dataset
Six months (03/2009 - 08/2009) for testing dataset
Hand verification of 1264 RRs (319 poisonous)
Evaluation of Anax classifier in two modes: Standaloneand in-line with the CIDR module
After model selection we used IBK as the 2-Class Anaxclassifier
36 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
ROC for Poisoning Detection in Anax
FP%= 0.6% and TP%= 91.9%
0.8
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
0 0.05 0.1 0.15 0.2
Tru
e P
ositi
ve R
ate
False Positive Rate
Poison [with CIDR Module]Poison [without CIDR Module]
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.1 0.2 0.3 0.4 0.5 0.6
Pre
cisi
on
Threshold
The FPrate and TPrate are not packet rates but RR rates. Ebay had137 unique RRs in 8 months. During that period less than one RRwould be misclassified by Anax.
37 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
Domain Name NS Dateamazon.com hu-bud02a-dhcp09-main.chello.hu 2009-07-26 07:39:05
amazon.com ns1.m1be.com 2009-03-19 10:36:58
americanexpress.com c.exam-ple.com 2009-03-20 14:15:44
americanexpress.com d.exam-ple.com 2009-05-05 20:30:47
bankofamerica.com 209.59.194.246 2009-06-18 00:44:10
bankofamerica.com 209.59.195.246 2009-06-18 00:44:10
capitalone.com ns2.ram-host.com 2009-08-06 14:08:51
att.com ns.kins.co.kr 2009-02-21 17:02:03
38 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?
Domain Name IPs Owneryahoo.com 209.130.36.159 NTT-COMMUNICATIONS
amazon.com 216.52.102.86 INTERNAP-2BLK
ebay.com 65.254.254.51 BIZLAND-SD
americanexpress.com 189.38.88.129 CYBERWEB NETWORKS
google.com 85.10.198.253 HETZNER-AS
visa.com 61.207.9.4 OCN NTT
microsoft.com 205.178.145.65 Network Solutions
google.com 65.98.8.192 FORTRESSITX
39 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Conclusions
DNS Poisoning is a successful attack vector. Ignoring it willnot make it go away. Poisoning cases “in-the-wild” urgesfor faster deployment of DNSSEC
Anax provides “Poison ex machina” using probes ofORDNSs caches - placing you “on path” with the ORDNS
IP/DNS RRset reputation holds a stronger signal thanRTTs. RTT might be more useful in “cloud basedpoisoning” detection
Alternative uses of Anax: Mass scanning (Conficker,Win-SPR patch deployment, “Internet/DNS CDC”)
40 / 41
Challenges in DNS poisoning detectionThe attack vector
MethodologyPoisoning Detection
Conclusions
Thank you for your time!
41 / 41