presentation-passive-dns-mitigate-abuse-23jun14-en

•

0 likes•243 views

Henry Stern

Registra)on

Hos)ng

Propaga)on

Payload

Delivery

Blocking

2014-‐06-‐20
©2014
Farsight
Security
Inc.

2

2014-‐06-‐20
©2014
Farsight
Security
Inc.

3

2014-‐06-‐20
©2014
Farsight
Security
Inc.

4

2014-‐06-‐20
©2014
Farsight
Security
Inc.

5

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

140501

140502

140503

140504

140505

140506

140507

140508

140509

140510

140511

140512

140513

140514

140515

140516

140517

140518

140519

140520

140521

140522

140523

140524

140525

140526

140527

140528

140529

140530

140531

140601

140602

140603

140604

140605

2014-‐06-‐20
©2014
Farsight
Security
Inc.

6

Source:
Private
Spam
Trap

2014-‐06-‐20
©2014
Farsight
Security
Inc.

7

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

5m
10m
30m
1h
3h
12h
24h

2014-‐06-‐20
©2014
Farsight
Security
Inc.

8

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%

5m
10m
30m
1h

•  10% of spam messages use domain
names less than 10 minutes old.
•  Boosts spam catch rate on domain
names <5 minutes old by 20%.
2014-‐06-‐20
©2014
Farsight
Security
Inc.

9

•  Snapshot in time from the zone’s
authoritative name server.
•  Only tells of new delegation points.
•  Not available for most CCTLDs.
•  Only available to public every 24 hours.
2014-‐06-‐20
©2014
Farsight
Security
Inc.

10

•  Farsight DNSDB.
https://www.dnsdb.info/!
•  Historical database of 350 million known
domain names, 7 billion hostnames.
•  Detecting 50k new domain names per
day.
2014-‐06-‐20
©2014
Farsight
Security
Inc.

11

•  Publishing a DNSBL, several DNS RPZs of
domain names ﬁrst observed less than
24 hours ago.
domain.v1.bl.dns-nod.net
•  ZFA-like dumps from passive DNS.
– Resource records from authoritative name
servers for the zone.!
2014-‐06-‐20
©2014
Farsight
Security
Inc.

12

•  All domains, even legitimate ones, will
be penalized by NOD's subscribers.
•  Up-front accountability would prevent
this junk at lower total cost.
•  The need and demand for NOD should
embarrass the whole DNS industry.
2014-‐06-‐20
©2014
Farsight
Security
Inc.

13

•  Improve accountability for new domains.
–  Credit cards, whois, identity.
•  Oﬀer ZFA, including deltas, for all TLD’s.
–  Even CCTLD’s.
•  Improve takedown procedures.
–  Consider APWG's API/process for this.
•  Consider putting new domains in "pause."
•  Limit NS changes to one per day.
–  Exceptions only by phone.
2014-‐06-‐20
©2014
Farsight
Security
Inc.

14

https://www.farsightsecurity.com/
https://www.dnsdb.info/
2014-‐06-‐20
©2014
Farsight
Security
Inc.

15

Similar to presentation-passive-dns-mitigate-abuse-23jun14-en

Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc

DDoS Mitigation using BGP Flowspec APNIC

IPv6 Security - Myths and RealitySwiss IPv6 Council

Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure

Tracing your security telemetry with Apache MetronDataWorks Summit/Hadoop Summit

Breaking the Status QuoAruba, a Hewlett Packard Enterprise company

Jeroen Wijdogen (Akamai) | TU - Hacks & AttacksMedia Perspectives

第1回福岡SoftLayer勉強会Shin Sakamoto

Thriving in the Shark Tank: How Vebalizeit Load Tested with SOASTASOASTA

Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.

PLNOG 13: James Kretchmar: How Akamai scales to serve the largest events on t...PROIDEA

Introduction to RPKIAPNIC

Streaming with VarnishVarnish Software

Cisco IPv6 Deployment Statics, by Shishio Tsuchiya [APRICOT 2015]APNIC

Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.

Virtual SAN: It’s a SAN, it’s Virtual, but what is it really?DataCore Software

DNS как линия защиты/DNS as a Defense VectorPositive Hack Days

Introduction to RTI DDSJohn Breitenbach

Securing your Rails applicationclucasKrof

Decreasing Incident Response TimeBoni Bruno

presentation-passive-dns-mitigate-abuse-23jun14-en

1. Henry Stern <stern@fsi.io> Senior Distributed Systems Engineer Farsight Security, Inc.

6. 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 140501 140502 140503 140504 140505 140506 140507 140508 140509 140510 140511 140512 140513 140514 140515 140516 140517 140518 140519 140520 140521 140522 140523 140524 140525 140526 140527 140528 140529 140530 140531 140601 140602 140603 140604 140605 2014-‐06-‐20 ©2014 Farsight Security Inc. 6 Source: Private Spam Trap

10. •  Snapshot in time from the zone’s authoritative name server. •  Only tells of new delegation points. •  Not available for most CCTLDs. •  Only available to public every 24 hours. 2014-‐06-‐20 ©2014 Farsight Security Inc. 10

11. •  Farsight DNSDB. https://www.dnsdb.info/! •  Historical database of 350 million known domain names, 7 billion hostnames. •  Detecting 50k new domain names per day. 2014-‐06-‐20 ©2014 Farsight Security Inc. 11

12. •  Publishing a DNSBL, several DNS RPZs of domain names ﬁrst observed less than 24 hours ago. domain.v1.bl.dns-nod.net •  ZFA-like dumps from passive DNS. – Resource records from authoritative name servers for the zone.! 2014-‐06-‐20 ©2014 Farsight Security Inc. 12

13. •  All domains, even legitimate ones, will be penalized by NOD's subscribers. •  Up-front accountability would prevent this junk at lower total cost. •  The need and demand for NOD should embarrass the whole DNS industry. 2014-‐06-‐20 ©2014 Farsight Security Inc. 13

14. •  Improve accountability for new domains. –  Credit cards, whois, identity. •  Oﬀer ZFA, including deltas, for all TLD’s. –  Even CCTLD’s. •  Improve takedown procedures. –  Consider APWG's API/process for this. •  Consider putting new domains in "pause." •  Limit NS changes to one per day. –  Exceptions only by phone. 2014-‐06-‐20 ©2014 Farsight Security Inc. 14

presentation-passive-dns-mitigate-abuse-23jun14-en

Recommended

Recommended

More Related Content

Similar to presentation-passive-dns-mitigate-abuse-23jun14-en

Similar to presentation-passive-dns-mitigate-abuse-23jun14-en (20)

presentation-passive-dns-mitigate-abuse-23jun14-en