Advertisement
Abuse of DNS wildcards in China - from passiveDNS perspective
Report
APNICFollow
Sep. 18, 2015•0 likes•1,372 views
3 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
Abuse of DNS wildcards in China - from passiveDNS perspective
Sep. 18, 2015•0 likes•1,372 views
3 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Report
Internet
Abuse of DNS wildcards in China - from passiveDNS perspective, by Zhang Zaifeng. A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
APNICFollow
Advertisement
Advertisement
Advertisement
Recommended
Data Aggregation At Scale Using Apache FlumeArvind Prabhakar
Big data elasticsearch practicalJWORKS powered by Ordina
HBase ArcheTypesMatteo Bertozzi
Obvious and Non-Obvious Scalability Issues: Spotify LearningsDavid Poblador i Garcia
Spotify: Data center & Backend buildoutDavid Poblador i Garcia
Application architectures with Hadoop – Big Data TechCon 2014hadooparchbook
Abuse of DNS wildcards in China - from passiveDNS perspective
- DNS Wildcards Abuse in China ----From passive DNS perspective Network Security Research Lab @QIHOO 360 Zhang Zaifeng
- Agenda • About passiveDNS.cn • What is DNS Wildcards Abuse (DWA) • How DWA operates • Measure DWA
- About passiveDNS.cn • About 10% DNS traffic in China – The First and largest public known passive DNS database in China – Open to security community (nsp-sec, ops-trust) • DNS requests: 900,000 q/s • From 2014-08-05 till 2015-08-26 – DNS RRsets: 5.7 billion – DNS RDATAs: 17.2 billion – Unique domains: 4.6 billion
- • DNS wildcard – A wildcard DNS record is a record in a DNS zone that matches requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name. ----from wikipedia.org – Domain is configured with a wildcard record » *.example.com IN A 1.2.3.4 – Any subdomains for zone example.com will be pointed to 1.2.3.4 What is DWA
- • DNS wildcards Abuse (DWA) – Methods: • Register lots of domains • All these domains have wildcards records enabled • Most FQDN webpage has duplicate or nonsensical contents • Most pages link or cross-refer each other – Purpose • Black hat SEO • Possible evade firewall blocking rules What is DWA cont.
- Example • Domain style: – like DGA, but no NXDOMAINs – Random prefix subdomains – MANY (sub)domains VS SINGLE IP address
- • Domain style: – MANY (sub)domains VS MULTIPLE IP addresses Example cont.
- Example cont. • Domain style: – New gTLD(science) also involves
- • What’s the real webpage looks like? • The following pages show 3 different sites with similar page structure, layout and content – All pages have some sort of medical rewards, photo of a middle age doctor, a nice hospital facility etc.
- Website 1
- Website 2
- Website 3
- • Take a look at the page html – Here it shows: The ultimate killer team for medical DWA with its website and customer service QQ number – Another slogan: The newest ranking technology which circumvents search engine blocking DWA webpage source
- • General steps: – prepare domain/ Virtual Private Servers(VPS) – Pick Keywords for search engine – Generate (Fake) Original content (to be used by search engine) – Site goes live • Prepare domain/VPS – Purchase domains – Purchase VPS – Domains go live – Generate subdomains How it operates
- • from almighty taobao.com • So cheap when a mass of domains Purchase Domains
- • Same as domain, from almighty taobao.com • So many Dedicated VPS for DWA • The industry chain is full-blown. Purchase VPS
- • Have loads of domains and corresponding VPS – Resolving them are time-consuming and very boring – No worries, there are tools to make things easier Domains go live
- • Automatic generating all kinds of subdomains according your configurations – Pinyin(拼音) subdomains – Random subdomains • digits-only, alphabets-only, mix of them Generate subdomains
- • Only one type of DWA? – Absolutely NOT! – Domain shadowing DWA Variation
- • Legit DNS server took over – Gambling sites – TLDs are gov.cn which used by Chinese government. DWA Variation cont.
- • Government sites are mainly targets. – Many government sites are poor managed, attack the registrant accounts are easy – Rank higher in search engines • Advantages: – Economy. No need to purchase lots of domains – Efficient. Many search engines rank government sites higher • Disadvantages: – High risk. You don’t want get caught DWA Variation cont.
- • Select and verify DWA – Select • Domain registered in China but server IPs are located overseas • Has wildcards records • Not CDN domains/dynamic domains/popular domains(Alexa Top 100k) • Not special IPs – Sinkhole IPs – Domain parking/reselling • Other filters … – Verify • data – 20150515~20150521 , 948,005 domains – 350,282 valid domains (site is live with page title) • result – Pornographic sites: 45% – Gamble sites:15% – Misconfiguration:9% – Normal business:8% – TrafficDirectionSystem:7% – Others:16% • And let’s see the detail statistics How we Measure DWA
- • Active domains – second level domain(SLD) – All tld:21481/day – Cn:8649/day Measure DWA 0 10000 20000 30000 40000 50000 60000 150113 150118 150123 150128 150202 150207 150212 150217 150222 150227 150304 150309 150314 150319 150324 150329 150403 150408 150413 150418 150423 150428 150503 150508 150513 150518 150523 150528 150602 150607 150612 150617 150622 150627 150703 150708 150713 150721 150726 150731 150805 150810 150815 150820 150825 total_num cn_num gov_cn_num ac_cn_num science_num
- • Active domains – SLD – Zoom in the ac.cn/science/gov.cn curve – About ac.cn • ac.cn is used for academic institute in China. Avg:646/day – About gov.cn • Gov.cn is a index which reflect the security of government sites. Avg: 67/day – About .science • First seen at 20150403, Burst at 20150415, highest point 20150618. Avg:377/day Measure DWA cont. 0 500 1000 1500 2000 2500 3000 3500 150113 150118 150123 150128 150202 150207 150212 150217 150222 150227 150304 150309 150314 150319 150324 150329 150403 150408 150413 150418 150423 150428 150503 150508 150513 150518 150523 150528 150602 150607 150612 150617 150622 150627 150703 150708 150713 150721 150726 150731 150805 150810 150815 150820 150825 gov_cn_n ac_cn_nu science_n
- • Active domains – Full Qualified Domain Name(FQDN) – .Ac.cn avg:9296/day. FDQN/SLD: 15X – .gov.cn is stable . Avg:1245/day FQDN/SLD : 18.6X – .science Avg:5256/day FQDN/SLD: 14X – What’s wrong with ac.cn in 20150303? Measure DWA cont. 0 20000 40000 60000 80000 100000 120000 140000 160000 150113 150118 150123 150128 150202 150207 150212 150217 150222 150227 150304 150309 150314 150319 150324 150329 150403 150408 150413 150418 150423 150428 150503 150508 150513 150518 150523 150528 150602 150607 150612 150617 150622 150627 150702 150707 150712 150721 150726 150731 150805 150810 150815 150820 150825 gov_cn_num ac_cn_num science_num
- • Active domains – FQDN – The spike of ac.cn at 20150302~20150304 • About 50 SLDs, which had large number of sub-domains had same style, just like following: Measure DWA cont.
- • Active domains – SLD – Other new gTLDs(exclude .science) • top(4080/day), xyz(384/day), party(259/day), club(165/day),website(43/day) Measure DWA cont. 0 1000 2000 3000 4000 5000 6000 7000 8000 xyz top party club website
- • Active Servers IPs – Avg:15,082/day Measure DWA cont. 0 5000 10000 15000 20000 25000 30000 150114 150119 150124 150129 150203 150208 150213 150218 150223 150228 150305 150310 150315 150320 150325 150330 150404 150409 150414 150419 150424 150429 150504 150509 150514 150519 150524 150529 150603 150608 150613 150618 150623 150628 150704 150709 150714 150722 150727 150801 150806 150811 150816 150821 150826 uniq_ip_num uniq_ip_num
- • Sever IP distribution – 83% located in US – 13% located in HK, Japan and Taiwan – Top 10 ASn: 68% , 8/10 ASn located in US, 2/10 ASn located in HK. Measure DWA cont. 20% 12% 12% 5%4% 4% 3% 3% 3% 2% 2% 2% 2% 26% IP distribution/ASn AS18978 Enzu Inc AS15003 Nobis Technology Group AS40676 Psychz Networks AS20248 Take 2 Hosting, Inc. AS35908 Krypt Technologies AS38197 Sun Network (HK) LLC AS54600 PEG TECH INC AS53755 Input Output Flood LLC AS18779 EGIHosting AS17444 New World Telephone AS8100 QuadraNet, Inc AS22552 eSited Solutions AS17139 Corporate Colocation In other US 83% HK 11% JP 1% TW 1% other 4% IP distribution/country US HK JP TW other
- Measure DWA cont. • Life time distribution – 86% FQDN’s life less than one day – 42% SLD’s life less than one day [0,1) 86% [1,7) 5% [7,32) 3% [32,) 6% FQDN_num/lived_days [0,1) [1,7) [7,32) [32,) [0,1) 42% [1,7) 18% [7,32) 15% [32,) 25% SLD_num/lived_days [0,1) [1,7) [7,32) [32,)
- Measure DWA cont. • Domain access count distribution – 70% of the SLD, DNS requests less than 100. – 88% of the SLD, DNS requests less than 500. (5000,) 2% (1000,5000] 5% (500,1000] 5% (100,500] 18% (0,100] 70% SLD_access_count (5000,) (1000,5000] (500,1000] (100,500] (0,100]
- Measure DWA cont. • Conclusion – DWA is popular – But, as a SEO trick, works not so good. • From DNS request number and domain’s life time • From the slogan of “狗小云站群”(one of the DWA software’s provider, http://q8888q.com/) – the only effectual DWA software all of the web • Why so big scale, some reasons(maybe) – Not every webmaster know this conclusion. – Not just for SEO. • Some type of domain flux • evade the FW/IPS/WAF’s blocking policy
- reference • https://passivedns.cn • http://baike.baidu.com/view/3166471.htm • http://baike.baidu.com/view/8794895.htm • http://www.hxzhanqun.cn/shipinyanshi/ • http://www.iisp.com/ztview/F_d020.html?s=netcn • http://www.cnkuai.cn/domain/domain_en_ac_cn.htm • http://www.163ns.com/help/495.html • http://www.royotech.com/pages/toolbox/articles/web/15.php • http://www.famousfourmedia.com/science/ • http://register.science/ • http://www.alpnames.com/ • http://www.freehao123.com/alpnames-register-science/ • http://q8888q.com/ • http://tools.ietf.org/html/rfc4592 • http://www.thesempost.com/google-dislikes-zombie-sub-domains/ • http://www.kevstrong.com/technology/avoiding-ghost-sub-domains-and-duplicate-content/
Editor's Notes
- Hello, everyone, good afternoon. I’m Zhang Zaifeng. From Network Security Research lab at QIHOO. Today I introduce some situations about DNS wildcard abuse in China.
- This presentation is composed of 4 parts. First some information about passivedns.cn, then a brief introduction of DWA and how it operates, at last I will give out the scale of DWA according our data.
- We are collecting about 10% DNS traffic in China. About 900,000 q/s, in the last year, we had collected 5.7 billion DNS rrsets, 17.2 billion rdata, and 4.6billon unique domains. It’s the first and largest public know passive DNS database in China and had opened to security communities ,include: nsp-sec and ops-trust.
- From Wikipedia, DNS wildcards record is a record in a DNS zone that matches requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name. For example if domain is configured with a wildcard record *.example.com IN A 1.2.3.4. any subdomains for zone example.com will be pointed to 1.2.3.4.
- What is DNS wildcards abuse(DWA)? Actually, it has a dedicated Chinese name:”泛站群” We decide abuse or not mainly from its behavior and content. Most of the DWA has following signatures: Some one register lots of domains All these domains have wildcards records. Most of the FQDN webpage has duplicate or nonsensical(rubbish) contents Most pages link or cross-refer each other AS the purpose: Generally, It’s a type of black hat SEO, sometimes, maybe, it’s a trick for evade firewall blocking rules. Later I will explain it.
- OK, let’s check some DWA examples: These domains looks like DGA(domain generate algorithm) domains, but you will never find the corresponding NXDOMAINs Most of them has random prefix subdomains. This page shows different domains VS(versus) single IP address ******************************************************** You can check out these messages use following commands: flint rdata 104.207.32.93 -l 20|grep 104.207.32.93 flint rdata 104.207.32.10 -l 20|grep 104.207.32.10 flint rdata 104.207.32.101 -l 20|grep 104.207.32.101
- In this case, different subdomains(they are nested domain) has multi IP addresses.
- We also see the new gTLD (.science) also involves.
- Then, what’s the real webpage looks like? The following pages shows 3 different sites with similar page structure, layout and content
- All pages have some sort of medical rewards, photo of a middle age doctor, a nice hospital facility etc.
- All pages have some sort of medical rewards, photo of a middle age doctor, a nice hospital facility etc.
- All pages have some sort of medical rewards, photo of a middle age doctor, a nice hospital facility etc.
- let’s take a look at the page html code. we found some slogans which from the DWA software provider. Here it says: The ultimate killer team for medical DWA with its url and customer service QQ number. Another slogan: The newest ranking technology which circumvents search engine blocking.
- how it operates? Let’s inspect it! Generally speaking, it include 4 steps. Step1,Step2,Step3,Step4 Among the 4 steps, Only 1st step related with domains. So, we split it into 4 sub steps. They are: Step1,Step2,Step3,Step4 Let’s check it separately. ******************************************* More info about DWA: http://www.52zhanqun.com/93 http://www.admin5.net/thread-14808021-1-1.html
- The guys usually purchase domains from almighty taobao.com, they are so cheap when a mass of domains. ********************************************** The picture is from taobao.com when you search the keywords on the taobao’s main page. http://s.taobao.com/search?q=%E5%9F%9F%E5%90%8D&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=1.7274553.1997520841.1&initiative_id=tbindexz_20150429 https://domains.dnspod.cn/main/priceinfo
- Same as domain, VPS also from taobao.com, there are so many dedicated VPS for DWA as noted the red color Chinese character in the pictures. How full-blown the industry chain is. *********************************** http://s.taobao.com/search?app=&ie=utf8&initiative_id=staobaoz_20150429&stats_click=search_radio_all%3A1&js=1&q=%E7%BE%8E%E5%9B%BDvps+%E7%AB%99%E7%BE%A4&suggest=history_2&_input_charset=utf-8&wq=%E7%BE%8E%E5%9B%BDvps&suggest_query=%E7%BE%8E%E5%9B%BDvps&source=suggest From these pictures, we can see the key words such as “站群,泛站群”, so the industry is full-blown.
- Domains go live. now, have loads of domains and corresponding VPS, Resolving them are time-consuming and very boring. But, don’t worry, there are tools to make things easier, We select a DWA software which named “黑侠站群” and its meaning is “black knight”. You can input your domains on the left most input box and the IP address of your VPS on the second input box on the left. And select the ”* resolve, checkbox, it will add wildcard record for all your domains automatically.
- Use the same tool, you can generate all kinds of subdomains according your configurations. There are two tab pages , respectively stand for random subdomains and pinyin subdomains. 【Pinyin is a is the official phonetic system for transcribing the Mandarin pronunciations of Chinese characters into the Latin alphabet in China.】 On the random subdomains pages, you can choose to use digits-only, alphabets-only, or mix of them to generate the random subdomains. Press this button “start generate”, later the subdomains are ready. ****************************************************************** We find a typical software ----heixiazhanqun (http://www.hxzhanqun.cn/, 黑侠站群) which is used to build DWA. These two pictures are from this software.
- Only one type of DWA? No, of course not. The second method like domain shadowing in a way. ****************************************************************** Other steps: Pick Keywords for search engine (Fake) Original content (to be used by search engine) Site goes live Spider control
- This kind of DWA is different from the above type. It is legit DNS server took over. Somebody intrude the registrar’s system and modify the name server record. Most of this type, victims are government sites, just like what these pictures show. Gov.cn is the TLD which used by Chinese government.
- Why government sites are mainly targets: Many government sites are poor managed, Compromise their registrant accounts are easy. Many search engines rank government sites higher. I think this is the main reason. This method’s advantages: Economy. No need to purchase lots of domains Efficient. Naturally ranking higher in search engines. At the same time, the Disadvantage is: High risk. You don’t want get caught, it’s a criminal.
- Our measure methods: Select the domains Domain registered in China but server IPs are located overseas Domains has wildcards records Not CDN domains/dynamic domains/popular domains(Alexa Top 100k) Not special IPs, such as: Sinkhole IPs Domain parking/reselling Other filters … Verify the domains, we select one week data from: 20150515~20150521,total about 948,005domains but only 350,282 valid domains (site is live with page title). In those valid domains, the classification results is : Pornographic sites: 45% Gamble sites:15% Misconfiguration about DWA:9% Normal business:8% TrafficDirectionSystem:7% Others:16% The others include: Marriage Dating; private game servers; guns; fake certificate; drugs; fake hospitals We can see, exclude the misconfiguration, normal business and TDS, 76% are located in gray zone. Let’s see the detail statistics… ******************************************************************* We check it at 2015-05-26, 60% domains are not valid for us. Its short time.
- We collected about 7 months data from 2015-01-13 to 2015-08-26. From this picture, there is no obvious rules to describe the date trends. These zero points caused by some unexpected reasons which resulted in no data import to the system. Just ignore them. *************************************************************************
- This page, we zoom in these 3 TLDs: ac.cn, gov.cn and science: ac.cn is used for academic institute. Now it can be registered by anybody which don’t have any limitations Gov.cn is a index which reflect the security of government sites. The average number of government sites is about 67. 3. Science is a new gTLD---- registered in 2014-10-23. From the end of 2015.2, its free for one year. And this new gTLD is more visible in search engine results. From the curves, we first seen it in 20150403(about a month after the free register), and began burst after two weeks. A month later, it reached it’s highest point. From 20150710, became not so active, after 20150819 it active again. It is used for qualified scientists and other science-related professionals, but it has been abused in China and became a joke.
- If we inspect the FQDN, what can we found. The number is much lager than SLD, about 14x to 18.6x . But the trends are same. Ac.cn 9626/646 = 15 Gov.cn 1245/67 = 18.6 Science 5256/377 = 14 Wait, here is a big spike, what’s wrong with ac.cn in this day(20150403)?
- We check the data of that day, found that there are about 50 SLDs, had large number of sub-domains, all of them had same domain style. Obviously, these domains are generated by somebody. Maybe he/she was testing the new purchased DWA software.
- What about the other new gTLDs. We stat the other top 10 new gTLDs from 20150703 to 20150826. .top’s number is much higher than others. It’s a severely afflicted area.
- This is a active servers curve measured by IP address. Compared with the domain number, it is stable. Avg:15082 daily.
- here is the statistics of the server IP addresses 83% the servers are located in US and 13% in Hong Kong, Japan and Taiwan. US is the most mature market of information industry, the others are all near Chinese Mainland in geographical, it’s more speedy for users.. 68% servers are located in Top10 ASn. Among the top 10 ASn, 8 located in US, 2 located in HK
- We also inspect the life time of these domains. From the SLD view, 42% of the domains are less than one day. 60% of the SLD’s life time less than one week. From the FQDN view, this number is more exaggerated, 86% of the domains are less than one day, and 91% of the FQDN’s life time less than one week.
- The last item, we check the access count of the domains. Like the life time, 70% of the domains are accessed less than 100, 88% of the SLD accessed less than 500. You know, the Statistical time span about 7 months, 500 DNS request is really scarce.
- Now, what’s the conclusion? DWA is popular in China, about 2% of new domains belong to DWA. But as a SEO trick, look at the poor number of DNS request and domain’s life time, it works not so good. This can be verified from another DWA software’s slogan “the only effectual DWA software all of the web”. However, why its scale so big? Some reasons, I think: Not every webmaster know this conclusion. They are still costing lots of money to buy these software and produce so many rubbish sites on the internet everyday. Not all of the domains used for SEO. Some of them are a type of domain flux, used to evade the Firewall’s blocking policy.
Advertisement