This domain name will self-destruct tomorrow

3,666 views
3,469 views

Published on

An overview of the Dorothy IP reputation system

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,666
On SlideShare
0
From Embeds
0
Number of Embeds
1,082
Actions
Shares
0
Downloads
7
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

This domain name will self-destruct tomorrow

  1. 1. This! domain name! will! self-destruct! tomorrow
  2. 2. Frank Denis ! OpenDNS Security Labs ! frank@opendns.com ! @jedisct1
  3. 3. OpenDNS • Open DNS resolvers:
 208.67.220.220 & 208.67.222.222 • Can be used to block malware, botnets, phishing. • Security Graph: DNSDB + reputation systems
  4. 4. </marketing>
  5. 5. Reputation trust level
  6. 6. IP reputation: just one of the many features used for classification
  7. 7. price(IP) > price(domain) > price(subdomain)
  8. 8. l7099.com q8940.com s5416.com u1105.com v9054.com w1130.com w9148.com x1132.com y1149.com z0338.com z2837.com a0257.com f0390.com h9169.com t7149.com penispaldevice.com beautifulwebcamsgirls.com Ransomware Malvertising
  9. 9. count(items known to be malicious)
 count(full set) + C
  10. 10. Co-occurrence relation between queries
  11. 11. Useful to extend existing lists
  12. 12. What if we didn’t label anything before?
  13. 13. DGA pattern dwayoq.gkxvxvtoq.biz 33qd6r.trdtffxya.biz 5vdckg.ohtnaoani.biz bcx5nd.mrelvrobu.biz duf2jj.ohtnaoani.biz jf2mkk.aaefpbrwf.biz ow6vt1.ojdomjbri.biz u49zqt.hslrnwqtr.biz x71goh.ohtnaoani.biz 05w2p4.xjlwqsshk.biz 0lkvfq.wcjlbyikh.biz 163em8.kpoisetkp.biz 1r9a3p.bucbbqswa.biz 2y4hdx.qeqfofqil.biz Blackhat SEO CDNs Mobile sites 06vjbb.eiclpilgp.biz 3h31h3.ohtnaoani.biz 8i7ugu.eiclpilgp.biz dckc3d.trdtffxya.biz htzcni.eiclpilgp.biz mqihxp.xyevppjpw.biz q1kfvx.eiclpilgp.biz v9lpyh.mrelvrobu.biz ygig8u.trdtffxya.biz 0c7d7i.ljabojeag.biz 0ln3gs.bucbbqswa.biz 1n2rw9.ljabojeag.biz 23b8fw.xjlwqsshk.biz 34uzo7.jhbleynam.biz 0vq1ol.egivdjpyb.biz! 4trmrj.trdtffxya.biz! b0tse7.eiclpilgp.biz! dlvmsz.eiclpilgp.biz! hwsotz.ojdomjbri.biz! nfq70m.huiabgkfh.biz! qbjp6w.aaefpbrwf.biz! wn2xci.mpnlnwnbd.biz! 01lt9k.ljabojeag.biz! 0l3grl.qeqfofqil.biz! 0tg47r.bucbbqswa.biz! 1njh89.kpoisetkp.biz! 2684sc.jpitlicla.biz! 36vgh9.pwrueetru.biz! Not
 always malicious
  14. 14. Fast flux pattern californiyaslososemk.com ! 8,855 unique IPs 564 ASNs! 45 countries ! over a 5 months period
  15. 15. But a lot of malicious IPs are not part of a fast-flux infrastructure. ! Example:
 DGA-based C&Cs
  16. 16. Another IP reputation system: Dorothy Because there is no place like 127.0.0.1
  17. 17. Constantly moving to new subdomains, new domains, new IPs makes malware more resistant to takedown.
  18. 18. Subdomain rotation is free
  19. 19. Domain rotation happens at regular intervals or shortly after a domain has been flagged by some security products.
  20. 20. IP rotation happens as well, but is usually slower than domain rotation.
  21. 21. Hosting a C&C on a compromised host would be a terrible idea.
  22. 22. price(IP) > price(domain) > price(subdomain)
  23. 23. t-6 t-5 t-4 t-3 t-2 N1 X N3 X X N5 X X N6 X N7 N8 N9 t X N2 N4 t-1 X X X X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  24. 24. t-6 N1 t-5 t-4 t-3 t-2 t-1 t X X X X X X X X X X X X X N2 N3 X X X X X X N4 X X X X X X X N5 X X X X X X X X X X X X X X X X X N6 N7 X X X N8 X X X N9 X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  25. 25. 92.48.122.132 Names 19993 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  26. 26. 208.73.211.247 Names 15964 Median lifetime (days) 1.0 Median client IPs/name/day 10.0
  27. 27. 198.27.90.196 Names 244 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  28. 28. 193.169.86.247 Names 19069 Median lifetime (days) 1.0 Median client IPs/name/day 1.0
  29. 29. 100.2.24.243 Names 135 Median lifetime (days) 3.65 Median client IPs/name/day 10953.0
  30. 30. A lot of names on a single IP is not necessarily bad.
  31. 31. A lot of names only active for a very short period of time on a single IP looks pretty bad.
  32. 32. count(domains)
 x
 (max_lifetime median_lifetime(domains))
  33. 33. 88.208.18.34! -99.99994344508787! 66.6.40.14! -99.99991902141797! 66.6.40.41! -99.99991881331263! 66.6.40.38! -99.99991849346496! 66.6.40.40! -99.99991847539887! 66.6.40.58! -99.99991843314294! 66.6.40.55! -99.99991764598933! 92.48.122.132! -99.9999137065818! 107.20.206.69! -99.99990925954143! 198.52.243.229!-99.99990697303538! 181.41.202.249!-99.99990279989224! 208.93.0.128! -99.99990129681458! 109.123.127.228! -99.99989610061355! 208.73.211.247!-99.99989518133837! 10.0.15.201!-99.99989386815456! 208.73.211.249!-99.99989356270828! 208.73.211.230!-99.9998933650058! 208.73.211.246!-99.99989335858926! 168.63.160.30! -99.99989324720488! 75.98.17.61!-99.99988611752897! 62.149.128.160!-99.9998744487991! 62.149.128.151!-99.99987442160271! 62.149.128.154!-99.99987441006259! 62.149.128.157!-99.99987419281405
  34. 34. 88.208.18.34! -99.99994344508787 DGAs
  35. 35. 66.6.40.14! -99.99991902141797 Tumblr
  36. 36. 92.48.122.132! -99.9999137065818 Caphaw banking trojan
  37. 37. Immediately followed by: • Parked domains • More Caphaw! • Livejournal subdomains • Malicious redirection service! • Nuclear Exploit kit! • Microsoft CDN (msedge.net) • Browlock ransomware! • Sinkhole • Fast flux (Rogue pharmacies)
  38. 38. t-6 t-5 t-4 t-3 t-2 N1 X N3 X X N5 X X N6 X N7 N8 N9 t X N2 N4 t-1 X X X X X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
  39. 39. X • Ni resolves to this IP • number of real client queries
 > (median(number of queries per day) / 4)
 for this (name, ip, time window) tuple
  40. 40. 92.48.122.132! -79.552485207211 Active Cryptolocker domains
  41. 41. Dorothy • A simple IP reputation model, reflecting the stability of an IP address. • Not a replacement for your current models, but another feature worth considering to help researchers to spot C&Cs, hosts serving exploit kits and massive spam campaigns.
  42. 42. Thanks! • This is slide #42 • OpenDNS: http://opendns.com • Umbrella Security Labs: http://labs.umbrella.com • frank@opendns.com • Github/Twitter/Flickr: @jedisct1

×