Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

Reporter: Jing ChiuAdviser: Yuh-Jye Lee

112/04/211 Data Mining & Machine Learning Lab

Reference Corrupted DNS Resolution Paths: The

Rise of a Malicious Resolution Authority Authors:

David Dagon, Niels Provos, Christopher P. Lee, and Wenke Lee.

Conference: Network and Distributed Security Symposium (NDSS )2008.

112/04/212 Data Mining & Machine Learning Lab

Outline Introduction Methodology Analysis Conclusion

112/04/213 Data Mining & Machine Learning Lab

Introduction DNS resolution path corruption Rogue DNS service

112/04/214 Data Mining & Machine Learning Lab

Methodology Organizing IPv4 into a series of classful addresses

Using bogons list published by Team Cymru Exclude U.S. Military and U.S. government

Design Query Pattern Blowfish(IP).parentzone.example.com

Select 600,000 resolvers 200,000 uniformly randomly from all resolvers 200,000 from resolvers overlapped with contacting

Google 200,000 from IP addresses known infected by Storm

bot Ask these resolvers to resolve 84 different

domains during 4 days112/04/215 Data Mining & Machine Learning Lab

Methodology (cont.)

112/04/216 Data Mining & Machine Learning Lab

Analysis Open resolvers found

10.4 million – late August 2007 10.5 million – early September 2007 Union of two sets: 17,365,759 634,941 – January 2006

112/04/217 Data Mining & Machine Learning Lab

Analysis (cont)

112/04/218 Data Mining & Machine Learning Lab

Analysis (cont.)

112/04/219 Data Mining & Machine Learning Lab

Analysis

112/04/2110 Data Mining & Machine Learning Lab

Conclusion DNSSEC

DNS with authority Blocking

Block the remote DNS traffic Recovery

After blocking or take down the Rogue DNS?

112/04/21Data Mining & Machine Learning Lab11

Thanks for attension Questions?

112/04/2112 Data Mining & Machine Learning Lab