Your SlideShare is downloading. ×
Role of DNS in Botnet Command and Control
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Role of DNS in Botnet Command and Control

1,007
views

Published on

See how botnets ha

See how botnets ha

Published in: Technology

1 Comment
1 Like
Statistics
Notes
  • View the recording here: https://whatsnew.webex.com/whatsnew/lsr.php?AT=pb&SP=EC&rID=29282137&rKey=3ee626966399ae13
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,007
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
84
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OpenDNS Security TalkThe Role of DNS in Botnet Command & Control (C&C)Please Watch the Recording via the Link Posted inthe Comment Section Below for Context!
  • 2. Topics DNS REFRESHER.
  • 3. Domain Name System Refresher
  • 4. How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
  • 5. So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
  • 6. Role of DNS inInternet Threats(including Botnet C&C)
  • 7. IRC, P2Pand 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers.DATA THEFT
  • 8. Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 Must Shutdown or Block All… •  Content Servers. •  Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 4.4.4.4 = 4.4.4.5 = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
  • 9. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
  • 10. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown(continued…)
  • 11. Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
  • 12. Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
  • 13. Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
  • 14. Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
  • 15. Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 5) DNS TUNNELING An Infected Device TXT records. •  Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
  • 16. If Hackers Have Evolved,So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
  • 17. Role of DNS inInternet-Wide Security
  • 18. Visualize Threats & Characterize Patterns in Big Data
  • 19. VisualizingOne Day’sWorth ofBlockedMalware,Botnet, orPhishingDomainRequests
  • 20. What’s Next for DNS-based Security?•  More domain names to track. »  Internet still exponentially growing. »  ICANN received 2000+ applications for new TLDs (Top-Level Domains).•  Bigger and more complex DNS packets. »  DNS tunneling by botnets. »  DKIM (DomainKeys Identified Mail). »  AAAA records for IPv6 addresses.•  More DNS traffic. »  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. »  Browsers predictively pre-caching DNS requests.
  • 21. Thank You for Attending!Continue the discussion: Email: david@opendns.com Twitter: @davidu