Analysis of Attack on Google: Aurora Botnet Command Structure
Role of DNS in Botnet Command and Control
-
Upload
opendns -
Category
Technology
-
view
1.322 -
download
10
description
Transcript of Role of DNS in Botnet Command and Control
![Page 1: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/1.jpg)
OpenDNS Security Talk
The Role of DNS in Botnet Command & Control (C&C)
Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
![Page 2: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/2.jpg)
Topics DNS REFRESHER.
![Page 3: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/3.jpg)
Domain Name System Refresher
![Page 4: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/4.jpg)
How It Works?
STUB CLIENTS
RECURSIVE NAME SERVERS
AUTHORITATIVE NAME SERVERS
root
tld
domain.tld
![Page 5: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/5.jpg)
REQUEST PROTOCOL
DISTRIBUTED DATABASE
So It’s a Protocol? Or a Database? No, It’s Both!
ANY DEVICE ANY APPLICATION
RECURSIVE & AUTHORIATIVE NAME SERVERS
QUERY domain name
RESPONSE e.g. IP address
RESOURCE RECORDS
e.g. domain name = IP address
![Page 6: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/6.jpg)
![Page 7: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/7.jpg)
Role of DNS in Internet Threats
(including Botnet C&C)
![Page 8: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/8.jpg)
IRC, P2P and 100s more
Infected device “phones home”.
Hacker collects data via botnet controller or bot peers.
Without user interaction, confidential data leaked to p2p.botnet.cn.
DATA THEFT
![Page 9: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/9.jpg)
DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
ns.botnet.com = 4.4.4.4
ns.bonet.com = 4.4.4.6
ns.bonet.com = 4.4.4.5
Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses
paypalz.com = 1.1.1.1
ad.malware.cn = 2.2.2.2
p2p.botnet.com = 3.3.3.3
paypalz.com = 1.1.1.2
ad.malware.cn = 2.2.2.3
p2p.botnet.com = 3.3.3.4
paypalz.com = 1.1.1.3
ad.malware.cn = 2.2.2.4
p2p.botnet.com = 3.3.3.5
IP FLUX via DNS RECORDS SAME QUERY, DIFFERENT RESPONSES
paypals.com = 1.1.1.1
paypalz.com = 1.1.1.1
paypall.com = 1.1.1.1
visitmalta.cn = 2.2.2.2
maltesefalcon.cn = 2.2.2.2
maltwhisky.cn = 2.2.2.2
kjasdfaasdf.com = 3.3.3.3
kjasdfsdfsaa.com = 3.3.3.3
ijiewfsfsjst.com = 3.3.3.3
DOMAIN FLUX via DGA DIFFERENT QUERIES, SAME RESPONSE
Must Shutdown or Block All… • Content Servers. • Name Servers. … via DNS Records.
![Page 10: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/10.jpg)
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
![Page 11: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/11.jpg)
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
![Page 12: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/12.jpg)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1)
FIREWALL
PROXY
![Page 13: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/13.jpg)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
where is 01010. cnc.tld?
where is 00110. cnc.tld?
where is 11010. cnc.tld?
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2)
FIREWALL
PROXY
![Page 14: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/14.jpg)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3)
FIREWALL
PROXY
where is 01010. cnc.tld?
where is 00110. cnc.tld?
where is 11010. cnc.tld?
![Page 15: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/15.jpg)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
11010. cnc.tld is at 11011
11010. cnc.tld is at 11100
11010. cnc.tld is at 01110
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4)
FIREWALL
PROXY
![Page 16: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/16.jpg)
An Infected Device within On-Premises Network is Just One Vector
PROXY
ISP
11010. cnc.tld is at 11011
11010. cnc.tld is at 11100
11010. cnc.tld is at 01110
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5)
FIREWALL
DNS TUNNELING • Bi-directional ~110kbps using TXT records. 1998 -- Concept published. 2004 -- Security community discussed. 2008 -- Security community created exploit. 2011 -- 1st documented botnet to exploit it.
PROXY
![Page 17: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/17.jpg)
If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy!
After detection, you attempt to prevent 100%. There’s a lot of vectors, so a lot of solutions.
After preventing as much as reasonable since 100% is no longer realizable, you contain the rest.
Hackers seek fame & glory.
Malware disrupts your business.
PAST
Your highest costs are lost productivity & IT remediation time.
Cybercriminals seek fortune & politics.
Botnets penetrate your networks. And roaming & mobile devices enter your networks.
PRESENT & FUTURE
Your highest costs are leaked data & legal audit fees.
![Page 18: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/18.jpg)
Role of DNS in Internet-Wide Security
![Page 19: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/19.jpg)
![Page 20: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/20.jpg)
Visualize Threats & Characterize Patterns in Big Data
![Page 21: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/21.jpg)
Visualizing One Day’s Worth of Blocked Malware, Botnet, or Phishing Domain Requests
![Page 22: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/22.jpg)
![Page 23: Role of DNS in Botnet Command and Control](https://reader033.fdocuments.in/reader033/viewer/2022052222/547d4a465806b503408b485f/html5/thumbnails/23.jpg)
What’s Next for DNS-based Security? • More domain names to track.
» Internet still exponentially growing.
» ICANN received 2000+ applications for new TLDs (Top-Level Domains).
• Bigger and more complex DNS packets.
» DNS tunneling by botnets.
» DKIM (DomainKeys Identified Mail).
» AAAA records for IPv6 addresses.
• More DNS traffic.
» More persistent threats due to DIY (do-it-yourself) kits for cybercriminals.
» Browsers predictively pre-caching DNS requests.