How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
Role of DNS inInternet Threats(including Botnet C&C)
IRC, P2Pand 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers.DATA THEFT
Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 220.127.116.11 = 18.104.22.168 = 22.214.171.124 = 126.96.36.199 = 188.8.131.52 = 184.108.40.206 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 220.127.116.11 = 18.104.22.168 = 22.214.171.124 = 126.96.36.199 = 188.8.131.52 = 184.108.40.206 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 220.127.116.11 = 18.104.22.168 = 22.214.171.124 = 126.96.36.199 = 188.8.131.52 = 184.108.40.206 Must Shutdown or Block All… • Content Servers. • Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 220.127.116.11 = 18.104.22.168 = 22.214.171.124 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown(continued…)
Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunnelingto Thwart Firewalls & Proxies(build 5) DNS TUNNELING An Infected Device TXT records. • Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
If Hackers Have Evolved,So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
What’s Next for DNS-based Security?• More domain names to track. » Internet still exponentially growing. » ICANN received 2000+ applications for new TLDs (Top-Level Domains).• Bigger and more complex DNS packets. » DNS tunneling by botnets. » DKIM (DomainKeys Identified Mail). » AAAA records for IPv6 addresses.• More DNS traffic. » More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. » Browsers predictively pre-caching DNS requests.
Thank You for Attending!Continue the discussion: Email: email@example.com Twitter: @davidu