A Centralized Monitoring Infrastructure For Improving DNS ... Antonakakis.pdf · A Monitoring...

Challenges in DNS poisoning detectionThe attack vector

MethodologyPoisoning Detection

Conclusions

A Centralized Monitoring Infrastructure ForImproving DNS Security

Manos Antonakakis David Dagon Luo “Daniel” XiapuRoberto Perdisci Wenke Lee Justin Bellmor

Georgia Institute of TechnologyInformation Security Center

Atlanta, Georgia

RAID, Ottawa, 2010

1 / 41



Conclusions

Outline and Credits

Challenges in DNSpoisoning detection

Previous work

Describing the attackvector

Methodology

DNS poisoningdetection

Summary

Robert Edmonds and Paul Royalfor their useful comments

Chis Lee and the GT-OIT stuff forthe abuse handling

SIE@ISC: Paul and Eric scanpoint (SJ) and pDNS

CIRA: Norm and Matthew scanpoint in Canada

2 / 41



Conclusions

Challenges in DNS poisoning detection

DNS poisoning is a successful attack vector (thanks Dan!)

Detection requires “on path” with the recursive and/or DNScache observation

DNS poisoning is hard to observe (sporadic and short)... or you can do so at the authority:

Counts patterns of ICMP(3,3) and qr/rd ratios

So, what we need?Technology that creates its own path with the RDNSSophisticated DNS cache inspection techniques

3 / 41



Conclusions







4 / 41



Conclusions







5 / 41



Conclusions







6 / 41



Conclusions







7 / 41



Conclusions







8 / 41



Conclusions







9 / 41



Conclusions







10 / 41



Conclusions

A Monitoring Infrastructure For DNS Security

What “Anax” does : requests, records and analyzes DNSrecords from a large set of open-RDNS around the globe,looking for DNS cache abnormalities

Since Anax can detect poisonous RRs in Internet scalemeasurements, the system can do the same in a lessdiverse set of RDNSs, e.g., those in a single organization

11 / 41



Conclusions

A Monitoring Infrastructure For DNS Security

What “Anax” does : requests, records and analyzes DNSrecords from a large set of open-RDNS around the globe,looking for DNS cache abnormalities

Since Anax can detect poisonous RRs in Internet scalemeasurements, the system can do the same in a lessdiverse set of RDNSs, e.g., those in a single organization

12 / 41



Conclusions

Some of the previous work ...

DNS Recursive Resolution plane : Dagon et al.“Corrupted DNS Resolution Paths” NDSS 2007

DNS Entropy : Dagon et al. “Increased DNS ForgeryResistance Through 0x20-Bit Encoding” CCS 2008

DNS Software Vulnerabilities : Dagon et al. “RecursiveDNS Architectures and Vulnerability Implications”, NDSS2009Poisoning Prevention

DNSSEC RFC 4033 and 4034, DNSCurve.Perdisci et al. “WSEC DNS: Protecting Recursive DNSResolvers from Poisoning Attacks”, DSN-DCCS 2009

13 / 41



Conclusions






14 / 41



Conclusions






15 / 41



Conclusions






16 / 41



Conclusions






17 / 41



Conclusions






18 / 41



Conclusions

DNS Poisoning

Understanding the attack vector

19 / 41



Conclusions

DNS Poisoning

How DNS works?

20 / 41



Conclusions

DNS Poisoning

Basic DNS Poisoning

Recursive request qname, it mustwait RTT periodBefore answer returns from theSOA, attacker can flood poisonousanswers

Each spoofed answer attemptsanother ID field guessIf 200ms RTT, ≈ 13,000 spoofedpackets can be sentID field is 16 bits, or 65K values

Besides ID field, other entropyshould be used (SPR-0x20)

21 / 41



Conclusions

DNS Poisoning

Kaminsky Class of DNS Poisoning

22 / 41



Conclusions

ORDNS Network and Geographic LocationRR Discovery Trends

Methodology

23 / 41



Conclusions


The Big Picture

Raw DNSData Collector

[2]

[3]

[5]

DNS Scanning Points

[1]

Anax Poisoning Detection System

DNS Scanning Engine

[4]

Anax Data Preparation Engine

OFF-LINE Mode (Training)

Anax Poisoning Detection Engine

Anax DB

ON-LINE Mode

Poisoning

Alert[6]

.

.

.

.

.

.

24 / 41



Conclusions


Scanning Protocol

Open Recursive DNS

Anax's DNS Scanning Point

ANS for example.com

A ? example.com A ? example.com

example.com IN A 192.0.32.10

example.com IN A 192.0.32.10

Probing Protocol1x A ? control_case.com1x A ? <rand >.control_case.com2x A ? example.com1x A ? <rand >.example.com3x {NS,MX,4A} ? example.com

IPs will be used for Anax detection system, the remainingRDATA for manual labeling and temporal measurements 25 / 41



Conclusions


Scanning Engine and Data Collection

Scan EngineOpen-recursive DNS servers Selection (300,000)Domain name lists (131 unique 2LDs based on top Alexazones)Constant eight-months ORDNS (rotating) probing from twoscanning points

2+6 total queries per ORDNSWhat we collect in the “Raw Data Collector”

RDNS-DATE-DN | DN-IP mappings from all recorded RRsRDNS-DATE-DN | DN-RDATA mappings from all recordedRRs

26 / 41



Conclusions


Scanning Engine and Data Collection

Scan EngineOpen-recursive DNS servers Selection (300,000)Domain name lists (131 unique 2LDs based on top Alexazones)Constant eight-months ORDNS (rotating) probing from twoscanning points

2+6 total queries per ORDNSWhat we collect in the “Raw Data Collector”

RDNS-DATE-DN | DN-IP mappings from all recorded RRsRDNS-DATE-DN | DN-RDATA mappings from all recordedRRs

27 / 41



Conclusions


ORDNS Selection

CC #ORDNS #ASs #CIDRsUS 116213 3785 14340CN 34778 90 2574JP 20147 329 1760NL 17651 172 483FR 16261 164 482KR 14822 326 1316IT 12824 204 569GB 9587 414 952DE 9441 408 818SE 9119 113 355

A summary of the diverse scanning targets. The table shows the top10 countries in ORDNS participation through our scanning list, aswell as the network diversity for each ORDNS (per country code)down to the ASs and CIDRs granularity.

28 / 41



Conclusions


New RRs During Scanning (agile/CDN enabled zones)

0.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

0 10 20 30 40 50 60 70 80 90 100

CD

F

Days

bestbuy.comamazon.com

blogger.comebay.com

0 10 20 30 40 50 60 70 80 90

100

0 50 100 150 200 250

Vol

ume

Days

29 / 41



Conclusions


New RRs During Scanning (less diverse zones)

0.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

0 10 20 30 40 50 60 70 80

CD

F

Days

capitalone.comchase.com

citibank.comfedex.com

0 10 20 30 40 50 60 70 80

0 50 100 150 200 250

Vol

ume

Days

30 / 41



Conclusions

DNS Poison Detection ModulesDetection ResultsPoisoning Anecdotes?

DNS Poisoning Detection

31 / 41



Conclusions


Detection Flow in Anax - CIDR Analysis Module

Poisoning Alert

DB Check

AnaxDB

RR(s)

CIDR AnalysisModule

Anax 2-ClassClassifier

Poisoning?

No - L[0,1,2]

Yes

No

Not in Anax DB

Poisoning?

Yes - L[3] L[4] - Unknown

32 / 41



Conclusions


CIDR Analysis Module

CIDR white list (L0)Probe ORDNS from major ISPs in USHand verify the RRsets and IPs from the answersWhite list the min CIDR per any legit IP

Mis-configurations (L1), NX-RW (L2), DNS-proxy (L2)Probe from a Domain Name we controlAny ORDNs giving back wrong answers is marked as:

Mis-Configuration iff IP in RFCs 1918 and 3330DNS-Proxy iff fpdns denotes that (i.e., Vermicelli totd ,TinyDNS, etc.)NX-Domain RW iff they provide answers to non-existencedomains

Poisoning: IP in BLs or manual verification (L3)The Team Cymru Bogons (do-not-route) listSpamhaus drop.lasso or PBL list

33 / 41



Conclusions


Detection flow in Anax - The 2-Class Classifier

Poisoning Alert

DB Check

AnaxDB

RR(s)

CIDR AnalysisModule

Anax 2-ClassClassifier

Poisoning?

No - L[0,1,2]

Yes

No

Not in Anax DB

Poisoning?

Yes - L[3] L[4] - Unknown

34 / 41



Conclusions


2-Class Classifier

Key goal: try to model known benign vectorsAccess SIE passive DNS feed so we can compute thefollowing statistical feature vector (6 dimensions):

Domain name diversity{2,3}LD diversityCDN occurrenceDomain of interest participation (i.e., google.com)Special domain of interest participation (i.e., google)

35 / 41



Conclusions


Experimental Setup

Data collection for 8 months based on the scanningprotocol

Two first months (01/2009 and 02/2009) training dataset

Six months (03/2009 - 08/2009) for testing dataset

Hand verification of 1264 RRs (319 poisonous)

Evaluation of Anax classifier in two modes: Standaloneand in-line with the CIDR module

After model selection we used IBK as the 2-Class Anaxclassifier

36 / 41



Conclusions


ROC for Poisoning Detection in Anax

FP%= 0.6% and TP%= 91.9%

0.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

0 0.05 0.1 0.15 0.2

Tru

e P

ositi

ve R

ate

False Positive Rate

Poison [with CIDR Module]Poison [without CIDR Module]

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6

Pre

cisi

on

Threshold

The FPrate and TPrate are not packet rates but RR rates. Ebay had137 unique RRs in 8 months. During that period less than one RRwould be misclassified by Anax.

37 / 41



Conclusions


Domain Name NS Dateamazon.com hu-bud02a-dhcp09-main.chello.hu 2009-07-26 07:39:05

amazon.com ns1.m1be.com 2009-03-19 10:36:58

americanexpress.com c.exam-ple.com 2009-03-20 14:15:44

americanexpress.com d.exam-ple.com 2009-05-05 20:30:47

bankofamerica.com 209.59.194.246 2009-06-18 00:44:10

bankofamerica.com 209.59.195.246 2009-06-18 00:44:10

capitalone.com ns2.ram-host.com 2009-08-06 14:08:51

att.com ns.kins.co.kr 2009-02-21 17:02:03

38 / 41



Conclusions


Domain Name IPs Owneryahoo.com 209.130.36.159 NTT-COMMUNICATIONS

amazon.com 216.52.102.86 INTERNAP-2BLK

ebay.com 65.254.254.51 BIZLAND-SD

americanexpress.com 189.38.88.129 CYBERWEB NETWORKS

google.com 85.10.198.253 HETZNER-AS

visa.com 61.207.9.4 OCN NTT

microsoft.com 205.178.145.65 Network Solutions

google.com 65.98.8.192 FORTRESSITX

39 / 41



Conclusions

Conclusions

DNS Poisoning is a successful attack vector. Ignoring it willnot make it go away. Poisoning cases “in-the-wild” urgesfor faster deployment of DNSSEC

Anax provides “Poison ex machina” using probes ofORDNSs caches - placing you “on path” with the ORDNS

IP/DNS RRset reputation holds a stronger signal thanRTTs. RTT might be more useful in “cloud basedpoisoning” detection

Alternative uses of Anax: Mass scanning (Conficker,Win-SPR patch deployment, “Internet/DNS CDC”)

40 / 41



Conclusions

Thank you for your time!

41 / 41

A Centralized Monitoring Infrastructure For Improving DNS ... Antonakakis.pdf · A Monitoring...

Documents

Transcript of A Centralized Monitoring Infrastructure For Improving DNS ... Antonakakis.pdf · A Monitoring...