Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
All Rights Reserved © 2019
Make the internet safe with DNS Firewall
Implementation Case Study at a Major ISP
Suman Kumar S...
Safe Internet for ‘ALL’
Started brainstorming to find a suitable way to provide
a secure internet to all of our users:
Con...
DNS Response Policy Zone
● Over 91% percent malware uses DNS(As Cisco 2016 Annual
Cyber security report)
● Nearly all the ...
DNS Response Policy Zone(RPZ)
● “DNS Firewall gives you the most bang for your buck” -Paul Vixie
● Reputation data is pack...
Core DNS Principles
Master/
Primary DNS
Slave/
Secondary
DNS
Caching
Resolver
DNS
.org
bdnog.org
www.bdnog.org
AXFR
TSIG
I...
.org
bdnog.o rg
.root
DNS RPZ
Master DNS
RPZ Feed
AXF
R
IXFR
What is the IP for
www.bdnog.org?
Who is in charge of bdnog.o...
DNS RPZ in Action
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXF
R
IXFR
What is the IP for
badguys.com?
badguys.co
m
To ...
How is DNS RPZ Different?
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXFR
IXFR
Security Company
DNS
RBL
Some RBL User
Up...
How is DNS RPZ Different?
• DNS RPZ allows for multiple feeds.
• Allows for industry incident feeds.
• Allows for local in...
Components of the Criminal Cloud
● Spam Botnet
● Command & Control
● Drive-by Domains
● Malware
● Secondary Malware
● Prox...
Malicious Redirects
E-commerce / Payments
Security Updates
Legitimate Abused
antvirus.updates.com
DNS
Scanning, Worming, & Spreading
Bot Herder
Email
SMS
SNS
Vulnerable
Malicious
Infected
Devices
DNS
C&C Botnet
Step 1
Step 2...
We can see the bot
herders traffic.
Domains are known to be malicious!
Spam/Phish
Maliciou
s
Domains
Infected
Devices
Cryp...
DNS RPZ would have stopped this attack!
With RPZ you can detect, alert,
block, and protect users.
Spam/Phish
Maliciou
s
Do...
Real Sample today
Possible Uses Examples
• Enterprise : Detect and stop malicious activities.
• ISP : Investigate infected customer hosts.
•...
RPZ supported DNS Applications
RPZ is native in several of the industry’s leading DNS platforms,
including:
● BIND V9.8 (o...
RPZ Rule
Let’s we want to rewrite any DNS queries for a
specific hostname, but allow lookups to the domain
and other hosts...
Response Policy Triggers
The rules in a Response Policy Zone consist of triggers or
filters that identify what responses t...
Response Policy Actions
GIVEN
CNAME
TCP-ONLY
DROP
PASSTHROUGH
NXDOMAIN
DISABLED
NODATA
Is the default action and define no...
RPZ Logging
Since we’re running RPZ, we definitely want to log
any RPZ rewrites. To do that, we need to set up two
things ...
Before Implementation
● At first implement on logging mode for at least for a
week
● Restricted RPZ recursive server to us...
RPZ Feed Providers
● Spamhaus
● Deteque
● PIPELINE Security
● Farsight security
● SURBL
● Threat Stop
DNS Firewall: Implementation Case Study in an ISP
● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh...
Resources used for the implementation
And one System Admin to cook those things
One server for Bind LXD Container with Ubu...
Simple Installation:Bind
Required time : Not more than 60 minutes
From Bind 9.8 Bind is compatible and comes with RPZ supp...
Simple Installation:Adding RPZ zones
Following RPZ zones were added at the end of the /etc/bind/named.conf.options using t...
Simple Installation:Get RPZ data from provider
RPZ zones will be downloaded from feed provided as a slave
zone.
zone "malw...
Simple Installation:RPZ Incident Log
Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do
that, we n...
Bind Installation:Generating Log
channel rpzlog {
file "rpz.log" versions unlimited size 1000m; print-time yes;
print-cate...
RPZ Logs
RPZ log take logs the queries to RPZ zones.
● The threat source IP
● destination of the for threat
● Categorizati...
Whitelisting
● rpz.local placed in top among the RPZ zones for custom
configuration in bind.
● On any false positive or on...
Monitoring Incidents with The ELK stack
The ELK stack is a collection of three open source tools -
Elasticsearch + Logstas...
Monitoring Incidents with ELK stack
● Logs: Server logs that need to be analyzed are identified
● Logstash: Collect logs a...
Day 1 - Over 1.3M Queries to RPZ Zones
Day 1 - Top 5 Results
RPZ logs from Various Nodes
Top Categories of threats
Top Catagories of threats
Top threats by Hostname
hosted by DNS of a malicious domain (coppersurfer.tk)
0--0.ml
0-00.ml
0-21.tk
000-daviotek.tk
000-default.tk
000000.ga
000...
Vulnerable Nodes with potential treats
Deep Dive in a incident:pubyun.com
pubyun.com was one of the top destination from monitoring and DNS
RPZ filtered the traf...
Deep dive in a incident:pubyun.com
https://www.joesandbox.com/analysis/37219/0/executive
Pubyun.com actually a hosting pro...
Top malware destinations from infected nodes
RPZ Incident monitoring dashboard with Kibana
Resources
https://www.slideshare.net/BarryRGreene/binds-new-secur
ity-feature-dnsrpz-the-quotdns-firewallquot
https://www....
All Rights Reserved © 2019
Safe Internet Access with DNS Firewall
Implementation Case Study at a Major ISP
Suman Kumar Sah...
Upcoming SlideShare
Loading in …5
×

Make the internet safe with DNS Firewall

90 views

Published on

Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report).Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report)
RPZ allows a recursive server to control the behavior of responses to queries.Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.It works like firewall on cloud.DNS RPZ will block DNS resolution, machines connecting to the C&C via IP add

Published in: Internet
  • Be the first to comment

Make the internet safe with DNS Firewall

  1. 1. All Rights Reserved © 2019 Make the internet safe with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd
  2. 2. Safe Internet for ‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
  3. 3. DNS Response Policy Zone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
  4. 4. DNS Response Policy Zone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
  5. 5. Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
  6. 6. .org bdnog.o rg .root DNS RPZ Master DNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
  7. 7. DNS RPZ in Action Master DNS RPZ Feed RPZ Caching Resolver DNS AXF R IXFR What is the IP for badguys.com? badguys.co m To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness. com
  8. 8. How is DNS RPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
  9. 9. How is DNS RPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware AXFR IXFR RPZ Feed C&C Hosts AXFR IXFR OPSEC AXFR IXFR InfoSec AXFR IXFR IXFR www.baddomain.com
  10. 10. Components of the Criminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
  11. 11. Malicious Redirects E-commerce / Payments Security Updates Legitimate Abused antvirus.updates.com DNS
  12. 12. Scanning, Worming, & Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
  13. 13. We can see the bot herders traffic. Domains are known to be malicious! Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS
  14. 14. DNS RPZ would have stopped this attack! With RPZ you can detect, alert, block, and protect users. Spam/Phish Maliciou s Domains Infected Devices Cryptojacke rs Command & Control DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
  15. 15. Real Sample today
  16. 16. Possible Uses Examples • Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
  17. 17. RPZ supported DNS Applications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
  18. 18. RPZ Rule Let’s we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
  19. 19. Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
  20. 20. Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Is the default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
  21. 21. RPZ Logging Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
  22. 22. Before Implementation ● At first implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
  23. 23. RPZ Feed Providers ● Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
  24. 24. DNS Firewall: Implementation Case Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
  25. 25. Resources used for the implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
  26. 26. Simple Installation:Bind Required time : Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
  27. 27. Simple Installation:Adding RPZ zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
  28. 28. Simple Installation:Get RPZ data from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
  29. 29. Simple Installation:RPZ Incident Log Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
  30. 30. Bind Installation:Generating Log channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer-out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
  31. 31. RPZ Logs RPZ log take logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
  32. 32. Whitelisting ● rpz.local placed in top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
  33. 33. Monitoring Incidents with The ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
  34. 34. Monitoring Incidents with ELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
  35. 35. Day 1 - Over 1.3M Queries to RPZ Zones
  36. 36. Day 1 - Top 5 Results
  37. 37. RPZ logs from Various Nodes
  38. 38. Top Categories of threats
  39. 39. Top Catagories of threats
  40. 40. Top threats by Hostname
  41. 41. hosted by DNS of a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk And many thousands
  42. 42. Vulnerable Nodes with potential treats
  43. 43. Deep Dive in a incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat-center/t hreat-analyses/viruses-and-spyware/Troj~MSIL- DXC/detailed-analysis.aspx
  44. 44. Deep dive in a incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
  45. 45. Top malware destinations from infected nodes
  46. 46. RPZ Incident monitoring dashboard with Kibana
  47. 47. Resources https://www.slideshare.net/BarryRGreene/binds-new-secur ity-feature-dnsrpz-the-quotdns-firewallquot https://www.deteque.com/app/uploads/2018/04/Spamhau s-DNS-RPZ-DROP-Setup-v.2.pdf https://www.netcon-consulting.com
  48. 48. All Rights Reserved © 2019 Safe Internet Access with DNS Firewall Implementation Case Study at a Major ISP Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!

×