This domain name will self-destruct tomorrow
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

This domain name will self-destruct tomorrow

  • 2,900 views
Uploaded on

An overview of the Dorothy IP reputation system

An overview of the Dorothy IP reputation system

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,900
On Slideshare
1,912
From Embeds
988
Number of Embeds
11

Actions

Shares
Downloads
5
Comments
0
Likes
2

Embeds 988

http://labs.umbrella.com 861
http://labs.opendns.com 53
https://twitter.com 26
http://www.scoop.it 19
http://stage-labs.umbrella.com 13
http://www.newsblur.com 7
http://feedreader.com 4
http://whistler-labs.dev140.sjc.opendns.com 2
http://inoreader.com 1
http://www.inoreader.com 1
http://fever.dertyp.net 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. This! domain name! will! self-destruct! tomorrow
  • 2. Frank Denis ! OpenDNS Security Labs ! frank@opendns.com ! @jedisct1
  • 3. OpenDNS • Open DNS resolvers:
 208.67.220.220 & 208.67.222.222 • Can be used to block malware, botnets, phishing. • Security Graph: DNSDB + reputation systems
  • 4. </marketing>
  • 5. Reputation trust level
  • 6. IP reputation: just one of the many features used for classification
  • 7. price(IP) > price(domain) > price(subdomain)
  • 8. l7099.com q8940.com s5416.com u1105.com v9054.com w1130.com w9148.com x1132.com y1149.com z0338.com z2837.com a0257.com f0390.com h9169.com t7149.com penispaldevice.com beautifulwebcamsgirls.com Ransomware Malvertising
  • 9. count(items known to be malicious)
 count(full set) + C
  • 10. Co-occurrence relation between queries
  • 11. Useful to extend existing lists
  • 12. What if we didn’t label anything before?
  • 13. DGA pattern dwayoq.gkxvxvtoq.biz 33qd6r.trdtffxya.biz 5vdckg.ohtnaoani.biz bcx5nd.mrelvrobu.biz duf2jj.ohtnaoani.biz jf2mkk.aaefpbrwf.biz ow6vt1.ojdomjbri.biz u49zqt.hslrnwqtr.biz x71goh.ohtnaoani.biz 05w2p4.xjlwqsshk.biz 0lkvfq.wcjlbyikh.biz 163em8.kpoisetkp.biz 1r9a3p.bucbbqswa.biz 2y4hdx.qeqfofqil.biz Blackhat SEO CDNs Mobile sites 06vjbb.eiclpilgp.biz 3h31h3.ohtnaoani.biz 8i7ugu.eiclpilgp.biz dckc3d.trdtffxya.biz htzcni.eiclpilgp.biz mqihxp.xyevppjpw.biz q1kfvx.eiclpilgp.biz v9lpyh.mrelvrobu.biz ygig8u.trdtffxya.biz 0c7d7i.ljabojeag.biz 0ln3gs.bucbbqswa.biz 1n2rw9.ljabojeag.biz 23b8fw.xjlwqsshk.biz 34uzo7.jhbleynam.biz 0vq1ol.egivdjpyb.biz! 4trmrj.trdtffxya.biz! b0tse7.eiclpilgp.biz! dlvmsz.eiclpilgp.biz! hwsotz.ojdomjbri.biz! nfq70m.huiabgkfh.biz! qbjp6w.aaefpbrwf.biz! wn2xci.mpnlnwnbd.biz! 01lt9k.ljabojeag.biz! 0l3grl.qeqfofqil.biz! 0tg47r.bucbbqswa.biz! 1njh89.kpoisetkp.biz! 2684sc.jpitlicla.biz! 36vgh9.pwrueetru.biz! Not
 always malicious
  • 14. Fast flux pattern californiyaslososemk.com ! 8,855 unique IPs 564 ASNs! 45 countries ! over a 5 months period
  • 15. But a lot of malicious IPs are not part of a fast-flux infrastructure. ! Example:
 DGA-based C&Cs
  • 16. Another IP reputation system: Dorothy Because there is no place like 127.0.0.1
  • 17. Constantly moving to new subdomains, new domains, new IPs makes malware more resistant to takedown.
  • 18. Subdomain rotation is free
  • 19. Domain rotation happens at regular intervals or shortly after a domain has been flagged by some security products.
  • 20. IP rotation happens as well, but is usually slower than domain rotation.
  • 21. Hosting a C&C on a compromised host would be a terrible idea.
  • 22. price(IP) > price(domain) > price(subdomain)
  • 23. t-6 t-5 t-4 t-3 t-2 N1 X N3 X X N5 X X N6 X N7 N8 N9 t X N2 N4 t-1 X X X X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  • 24. t-6 N1 t-5 t-4 t-3 t-2 t-1 t X X X X X X X X X X X X X N2 N3 X X X X X X N4 X X X X X X X N5 X X X X X X X X X X X X X X X X X N6 N7 X X X N8 X X X N9 X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  • 25. 92.48.122.132 Names 19993 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  • 26. 208.73.211.247 Names 15964 Median lifetime (days) 1.0 Median client IPs/name/day 10.0
  • 27. 198.27.90.196 Names 244 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  • 28. 193.169.86.247 Names 19069 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  • 29. 100.2.24.243 Names 135 Median lifetime (days) 3.65 Median client IPs/name/day 10953.0
  • 30. A lot of names on a single IP is not necessarily bad.
  • 31. A lot of names only active for a very short period of time on a single IP looks pretty bad.
  • 32. count(domains)
 x
 (max_lifetime median_lifetime(domains))
  • 33. 88.208.18.34! -99.99994344508787! 66.6.40.14! -99.99991902141797! 66.6.40.41! -99.99991881331263! 66.6.40.38! -99.99991849346496! 66.6.40.40! -99.99991847539887! 66.6.40.58! -99.99991843314294! 66.6.40.55! -99.99991764598933! 92.48.122.132! -99.9999137065818! 107.20.206.69! -99.99990925954143! 198.52.243.229!-99.99990697303538! 181.41.202.249!-99.99990279989224! 208.93.0.128! -99.99990129681458! 109.123.127.228! -99.99989610061355! 208.73.211.247!-99.99989518133837! 10.0.15.201!-99.99989386815456! 208.73.211.249!-99.99989356270828! 208.73.211.230!-99.9998933650058! 208.73.211.246!-99.99989335858926! 168.63.160.30! -99.99989324720488! 75.98.17.61!-99.99988611752897! 62.149.128.160!-99.9998744487991! 62.149.128.151!-99.99987442160271! 62.149.128.154!-99.99987441006259! 62.149.128.157!-99.99987419281405
  • 34. 88.208.18.34! -99.99994344508787 DGAs
  • 35. 66.6.40.14! -99.99991902141797 Tumblr
  • 36. 92.48.122.132! -99.9999137065818 Caphaw banking trojan
  • 37. Immediately followed by: • Parked domains • More Caphaw! • Livejournal subdomains • Malicious redirection service! • Nuclear Exploit kit! • Microsoft CDN (msedge.net) • Browlock ransomware! • Sinkhole • Fast flux (Rogue pharmacies)
  • 38. t-6 t-5 t-4 t-3 t-2 N1 X N3 X X N5 X X N6 X N7 N8 N9 t X N2 N4 t-1 X X X X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  • 39. X • Ni resolves to this IP • number of real client queries
 > (median(number of queries per day) / 4)
 for this (name, ip, time window) tuple
  • 40. 92.48.122.132! -79.552485207211 Active Cryptolocker domains
  • 41. Dorothy • A simple IP reputation model, reflecting the stability of an IP address. • Not a replacement for your current models, but another feature worth considering to help researchers to spot C&Cs, hosts serving exploit kits and massive spam campaigns.
  • 42. Thanks! • This is slide #42 • OpenDNS: http://opendns.com • Umbrella Security Labs: http://labs.umbrella.com • frank@opendns.com • Github/Twitter/Flickr: @jedisct1