Your SlideShare is downloading. ×
Day 2   Dns Cert 4c Malicious Use
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Day 2 Dns Cert 4c Malicious Use

397
views

Published on

Presentation by ICANN

Presentation by ICANN

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
397
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Malicious Use Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. What You Will Need for the Exercises • Your Windows Terminal Server – From Windows, Run ‘mstsc’ – From MAC, please download the Terminal Server Client from the wiki – Run the DNS-Bot.vbs file when instructed – Open a command prompt, and run cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs – Don’t forget – X is your student number 2
  • 3. Description – Malicious Use • Using the DNS to propagate malware or conduct attacks in a malicious manner, yet consistent with the DNS protocols – BotNet Command & Control (indirect) – Amplification Attacks (direct) • These attacks do not necessarily target DNS servers – rather, they use your servers to conduct an attack elsewhere NS Victim 3
  • 4. Case Study – Conficker • Conficker - the Conficker worm appeared in late 2008, with most of the attention starting in Jan/Feb of 2009. – The worm used pseudo-randomly generated domains from several top level domains (ccTLDs included) as its command and control points. – The worm would contact servers on these random domains for instructions. 4
  • 5. Case Study – Conficker • The Conficker Working Group (Conficker Cabal) was started to address response actions to the worm – Comprised of businesses, DNS operations, Internet organizations, and security researchers – Requested top level organizations with suspected domain names involved in Conficker to register them in hopes of preempting Conficker activity • Conficker mutated to thwart activity of the Working Group and started using P2P methods vs. DNS How Should a ccTLD React to a Request to Register (at no cost) Hundreds of Domain Names to Prevent Malicious Activity? 5
  • 6. Attack Demonstration • The “DNS Bot” receives its instructions and sends information back to the hacker via DNS Caching Server NS Run Command & Post Results Rogue Server Double-click Remember, the bot won’t do DNS-Bot.vbs anything malicious! 6
  • 7. Demonstration – Attacker View • Rogue DNS Bind File & Web Post Directory 7
  • 8. Demonstration – Server View 8
  • 9. Demonstration – User View • Please run your bot now – Open a command prompt and run the command: cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs • wireshark view 9
  • 10. Demonstration – User View • If you’d like to start Wireshark… – Double click icon on desktop – Select Options from Capture Menu – In “capture filter” type port 53 – Click “Start” 10
  • 11. Demonstration – User View Encoded Data Sent to DNS Server 11
  • 12. Demonstration – User View • The bot will periodically request instructions over DNS from a rogue DNS server (192.168.85.5) – Can you find the rogue DNS server with wireshark or DNS tools? • The bot will execute the instructions: – Wait, Download a File, Run a Command & Post Results, Quit – Can you “reverse engineer” the instructions? – Can you see what is being posted? 12
  • 13. Impact • DNS resources used for malicious purposes • Possible brand or reputation loss due to apparent attacks originating from servers • Widespread bot proliferation 13
  • 14. Mitigation & Response Strategies • Domain “Blackholes” – but only if domains don’t change rapidly – you have to keep up! • Strengthen registrant information validation • Develop policies for determining what’s malicious • Add detection mechanisms for malicious use – Host based (Antivirus, patching, etc) – Network based (traffic & domain analysis) • Develop policies for domain takedown • Develop cooperative agreements with other registries, CERTs, law enforcement, and security organizations to address malicious use scenarios 14
  • 15. Questions? ? 15

×