Successfully reported this slideshow.
Your SlideShare is downloading. ×

DNS, the hidden ICS attack vector

Loading in …3

Check these out next

1 of 38 Ad

DNS, the hidden ICS attack vector

Download to read offline

This is three talks in one, as we look at several issues with DNS that affect control systems.
First we look at DNS squatting, which affects many ICS vendors. Then we look at two DNS issues that we frequently see on deployed control systems.

This is three talks in one, as we look at several issues with DNS that affect control systems.
First we look at DNS squatting, which affects many ICS vendors. Then we look at two DNS issues that we frequently see on deployed control systems.


More Related Content

Recently uploaded (20)


DNS, the hidden ICS attack vector

  1. 1. DNS and You A primer K. Reid Wightman Digital Bond Labs
  2. 2. Two talks in one • DNS squatting and malware • DNS in deployment
  3. 3. But first - Terminology • DNS – Domain Name System • Resolve hostname, like ‘’ to IP like • DNS contains many record types • NS, Name Server • MX, Mail eXchange • A, Name records • PTR, Reverse name records • There are others, but less interesting to this talk
  4. 4. More Terminology • Typosquatting – Mistyping a domain name, many types – Transpositions: instead of – Ommissions: – Insertions/repetitions: – Replacements: • Homoglyphs: (GO0GLE.COM) • Bitsquatting – Bit error in a computer or router without ECC – < ‘l’ and ‘m’ are 1 bit difference, 0b01101100 versus 0b01101101
  5. 5. On bitsquatting • Fantastic talk on the topic at Defcon 19 – – (Or, Artem Dinaburg, blog post at ) • Fantastic followup on the topic at Defcon 23 with more exploitation – – (Or, look at Luke Young’s site: ) • Neat technique for big content distribution networks (Facebook, Akamai, etc)
  6. 6. Squatting Motivations • Phishing • Advertising revenue • Offer/install Malware (adware/spyware, RATs, etc) • Sell the domain for $$$ to trademark holder
  7. 7. Manufacturer Survey • 11 Mfrs in survey
  8. 8. Survey of 11 Industrial Mfrs Basic Stats • Focused on just ‘industrial’ domains • 433 ‘squat’ domains Replacement Insertions Bitsquatting Omission Repetition Transposition Homoglyph
  9. 9. Survey of 11 Industrial Mfrs ‘MX’ Records • 195/433 domains have MX records • Of these, 22 accepted email to arbitrary users at the domain – Tested by emailing ‘’ and ‘zatoichi@domain’ from custom source address – This means someone may intercept your email if a client typos an address • What happens to these emails? – One case of phishing! – Not targeted though
  10. 10. Phishing Example: SlEMENS.COM • Sent emails to the domain, received phish to custom source address – Incredibly unlikely that this was coincidence – This was only example out of all domains tested • This domain’s website previously hosted malware; now it is just a park – Note: domain owner is private, domain registered via – Note 2: domain register has not changed between malware hosting and phishing (same privacy shield in place)
  11. 11. Survey of 11 Mfrs ‘A’ (and ‘AAAA’) Records • Only tried ‘’ • 254 ‘live’ hosts • 42% (107 hosts) advertising/for sale • 11% (28 hosts) ‘suspicious redirect’ (changes daily) • 4% (10 hosts) hosting direct malware downloads – Malware usually targets user-agent string (Windows, OS X) – Many sites use redirection network, target changes frequently – Tracking cookies often used to determine behavior – New/’0-day’ discovered for OS X • 4% (10 hosts) hosting RAT pre-installers (popup window saying, ‘call tech support/you have a virus’) • 1% (2 hosts) hosting pornography • 1% (2 hosts) ‘legit redirect’ (redirects to intended host) • Remainder: ‘Under construction’ or Legit Business with similar name
  12. 12. redirect (1)
  13. 13. redirect (2)
  14. 14. redirect (3)
  15. 15. More on Malware Hosting • Windows Malware generally found on VirusTotal – All ‘Adware/Spyware/RAT’ – No apparent ICS target (yet) • OS X Malware:
  16. 16. (Brief Update on that Malware)
  17. 17. The Future of Squatting • Prediction: clone websites hosting malware – Already (sort of) happened to Schneider Electric, but website is gone now (was at [note missing ‘r’]). – Domain /was/ owned by individual in China (Shenzhen) – Domain now owned by Schneider Electric (good job!)
  18. 18. Limitations • For A records, can be difficult/impossible to know ‘who’ or ‘why’ – Ex: load one squat domain 5 times, get 5 different redirects/payloads – Many squats serve up pages based on User-Agent, Referer, possibly more targeted info (country of origin?) • Could host interesting files for deep links, e.g. update
  19. 19. Challenge • Legally, it is difficult to ‘clean up’ a squatter – Have to prove harm/trademark violation – Legal options take a long time – Legal options take lawyers, cost €€€ – Buying domain from squatter will probably cost €€€ • Often cheaper to just register all bitsquat/typosquat domains – Costs only a few k€ per year to do this – May save a Big Problem in the future
  20. 20. Tools & Tips • Dnstwist to quickly see who owns domains similar to yours – – Usage: ‘ <domainname>’ to display all squats • Scour vendor sites for domain name typos – We built a tool based on Scrapy – Uses dnstwist to build bit-error/typo list, scrapes website for links to bogon domains – Watch
  21. 21. Further Research • Rent redirect time – 11% of sites have changing redirects – Majority of malware/helpdesk sites add to this number – Domain owners sometimes ‘rent time’ – Research idea: rent time and see how many potential victims we could get
  22. 22. One down, one to go! • DNS squatting and malware • DNS in deployment
  23. 23. DNS in Deployment • Two sub-areas to this topic – Internal network map leaking – Data exfiltration via DNS • Let’s dive in
  24. 24. DNS Network Mapping • DNS Zone Transfer *still* an issue – Allows internet-users to retrieve hostname list – 2014, ‘blindly’ coordinated with to reconfigure their servers • ~50,000 computer names+IP addresses being leaked • Interior network layout revealed – Can differentiate interior servers, cellular-hosted servers, internet-facing servers – Spend enough time, determine field site naming convention • 1990s are calling us home
  25. 25. DNS Network Mapping • Hostnames often reveal purpose – what could this be? – * gateways and perimeters – dc* domain controllers? – Numbering conventions often reveal purpose separation ( vs vs – etc • IPv6 is often misconfigured – Few firewalls block access – Having these records exposed may be a problem
  26. 26. DNS Network Mapping • Example 1: – Zone transfer returned 50,785 hosts – Note: Dow has ~51,000 employees. Hmmmm. (39790) (5868) (2437) External IPv4 (1118) External IPv6 (1572)
  27. 27. Further Reading • Rob Fuller (Twitter: @mubix) runs Deep Magic – Indexes tons of DNS info – – Great talks on DNS zone transfer and other issues by Rob, look him up
  28. 28. DNS for Data Exfiltration • For attackers: wonderful way to get data out of an ‘isolated’ network • For defenders: painful thing to block
  29. 29. DNS is Recursive • Example: we want to know what computer is ‘’ – First, ask local DNS server – Assuming it is not cached, local DNS must find the answer
  30. 30. DNS is Recursive Client Workstation Corporate DNS Server ISP DNS Server Google DNS Server COM DNS Server mail Root DNS Server com 1 2 3,4 5,6 7
  31. 31. DNS is Recursive • …so you actually sent a request (via the local DNS server) to a Google server • You controlled the request data (‘mail’) • Google controlled the response data (ip address)
  32. 32. Tunneling Data • Bad guys can run a special DNS server, meant for bidirectional communication – Ex: we own a domain for this purpose – Special subdomain runs IP over DNS tunnel – Queries == encoded data – Responses == encoded data – Great for free Internet access (expired prepaid 3G SIM card, in-flight WiFi, or expensive hotel WiFi often vulnerable)
  33. 33. DNS Tunneling
  34. 34. Tunneling foobarbazbax. ICS LAN Client Workstation Local DNS Server Corporate DNS Server ISP DNS Server Hacker DNS Server COM DNS Server
  35. 35. Other DNS Exfiltration • IP over DNS tunnel: – Iodine, • Generic ‘data over DNS’ tool (like netcat, but uses DNS instead of IP) by Ron Bowes: – dnscat2, • Metasploit even includes DNS tunnels – See payloads/windows/*/*dns, reverse shells and meterpreter payloads available
  36. 36. Challenge • Blocking DNS entirely is best security option • Next best: prevent your control system from ‘looking up’ external domains – Most DNS servers can be configured to only forward DNS requests for a fixed list of domains – Example: Control zone DNS forwards requests for to corporate DNS, and rejects queries for any other domain. • Opportunity: IDS rules testing…
  37. 37. Blocking External Lookups foobarbazbax. ICS LAN Client Workstation Forward Reject * Corporate DNS Server request never forwarded
  38. 38. Q&A Contact: Email: Twitter: @ReverseICS

Editor's Notes

  • Specifically I will *not* be talking about DNSSEC or other ‘DNS spoofing’ methods
  • I plan to put a graphical representation of a DNS request here.
  • I will talk about how the names looked up are some encoded in Unicode (foreign character sets), so Wireshark (a software tool for displaying packets) does not display the queries correctly.
  • This is a graphical representation of the tunnel, shown on the previous slide
  • This is a graphic showing how to stop DNS tunneling. The hexagon shows to forward the corporate request to the corporate network, but to reject requests for any external servers.