DNS as a Gatekeeper: Creating Lightweight

Capabilities for Server DefenseCurtis Taylor

taylorcr@ornl.gov

Craig Shue

cshue@ornl.gov

Outline

• Automated Attacking• Costs to Organizations• Some Observations• Our Approach

– Lightweight Capabilities– Fast Flux Defense

• Future Directions

2

Automated Attacking

• Attackers use others in attacks– Compromised machines form botnets

• “Attacks” vary in goal, methodology– Reconnaissance– Footholds– Exfiltration– Exploitation

• But most attacks are automated– Success rates may be low, but they make up

for it in volume3

Example Attacks

• SQL Injection• Harvesting email addresses for spam• Phishing

– The use of deception in electronic communication to obtain unauthorized access

– A symptom of system and network security improvements

4

Organization Costs

• Decreased credibility• Information exposure• Financial consequences

– Billions lost a year– Identity theft

• Business failure– Example: HBGary Federal

5

Some Observations

• Automated clients do not need host names– Mnemonic names for human convenience

• Automated clients can skip DNS queries– Directly scan IP address space– Cache records beyond what is allowed– Share with other machines in a botnet

• Humans likely play by the rules– Their browsers are standards compliant– “Illegal” caching does not really help them

6

Associating Clients and Resolvers is Non-Trivial

7

ORNL DNS

Server

ORNL Web

Server

ISP DNS Resolver

End User

System

ISP Network

DNS Query

DNS Reply

Web Query

What does this motivate?

• Some attackers are clearly skipping DNS, but a few still use it

• Good users are unlikely to skip DNS steps• Can we use this knowledge to protect

servers?– Make DNS a gatekeeper to the network– Failures to use DNS prevents access

• But it still looks successful

– Allow network providers know there is something awry with malicious clients

8

Fast Flux Defense

9

End User

System

ISP DNS Resolver

DNS Server

Real Web

Server

DNS Query

DNS Reply

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Web Query

Fast Flux Defense

10

End User

System

ISP DNS Resolver

DNS Server

Real Web

Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Honey Pot Web Server

Web Query

Future Directions

• We are ready to test– Works with BIND9, Linux’s iptables, and uses

libpcap to intercept DNS requests

• Limited deployment on ORNL’s network

11