SlideShare a Scribd company logo
12 Years in
DNS Security
As a Defender
A. S. M. Shamim Reza
bdNOG 15
Dhaka
09-12 December, 2022
[~]$whoami|– 12+ years worked at ISP
– Chief Technology Officer, Pipeline Inc.
– Community Trainer, APNIC
@asmshamimreza on Linkedin
@shamimrezasohag on Twitter
What is DNS?
DNS Domain Name System
Inventor Dr. Paul Mockapetris
Year 1983
RFC 882 & 883
Port 53 TCP/UDP
Place University of Southern California’s
Information Sciences Institute
“I designed the DNS so that the name-
space could be anything you wanted it
to be.”
– Dr. Paul Mockapetris
How DNS Query
Works?
Attacker likes DNS
91.3%
of malware uses DNS in
attacks
68%
of Organization don't
monitor DNS
Cyber Attacks on DNS
Attacks using DNS Server
Reflection Attack
DNS Tunneling
DGA
Command & Control
Attacks that Target DNS Server
DDoS
Recursive Query Attacks
Cache Poisoning Attacks
Buffer overflow
Port Scan
Stat on 53 port – Bangladesh
Listening IPs
64,576
Lets talk
about the
Journey
Observing DDoS
Findings Mitigation Technique?
Authoritative & Recursive service at the same
system Separated them into different Hosts
Service was running with Same OS and Bind
service
Migrated with BIND+CentOS &
Unbound+FreeBSD
Recursive resolver was Central
Deployed IP Anycast for Recursive DNS in
multiple region.
Initial goal was to increase service availability
Observing DDoS – additional steps
– OS installation was practice with Minimal ISO.
– Allowed only required service port.
– Practiced IP ACL on remote access at Host based firewall.
– Imposed IP ACL on DNS service configuration.
– Disabled service version exposer.
– Automatic update on OS Kernel, packages and patches.
– BIND configured with CHROOT.
Looking for other Attacks? increase insights
– Started log storing
– CLI based analytic
– BIND Stats visualization
Log File Category Definition:
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
Looking for other Attacks? increase insights
– Started log storing
– CLI based analytic
– BIND Stats visualization
– Used DNSTOP for automated Stats check from CLI
– DNSTOP can be used in all the Linux variants.
– In addition we have used generic utilities from the CLI to get the
summary.
# cat query.log | cut -d " " -f 10 |
sort | uniq -c | sort -n
23506 www.google.com
26679 imgcdn.ptvcdn.net
28539 outlook.office.com
47835 dns.google
100117 time-c.timefreq.bldrdoc.gov
100533 time-b.timefreq.bldrdoc.gov
101298 time-a.timefreq.bldrdoc.gov
# cat query.log | cut -d " " -f 10 | cut
-d "." -f "2-3" | sort | uniq -c | sort
-n
31836 office.com
36193 ms-acdc.office
39567 events.data
42475 google.com
47835 google
301948 timefreq.bldrdoc
Looking for other Attacks? increase insights
– Started log storing
– CLI based analytic
– BIND Stats visualization
– With the CLI based check, we face few challenges as the log volume
was increasing day by day.
– time consuming
– repetitive task for the same activity (scripting wasnt helping)
Deployed Grafana eco-system to get
all the Stats + logs and then visualized.
Focused was to get all
the insights on NXDOMAIN.
Looking beyond NXDOMAIN!
– Observed overall pattern
of NXDOMAIN across
the DNS infra
– Few zones crosses the
threshold on a specific
time in max of cases
– Log shows C&C
communication in a few
cases, decided to dig deep
for NXDOMAIN
– Installed Suricata NIDS
in the DNS Infra and start
monitoring the activity
Including active Defense!
– The outcome of the
analysis, after
incorporating Suricata,
was enormous.
– To overcome the issue,
plan to deploy DNS RPZ
12 Years in DNS Security As a Defender
What Next? Network Traffic – NetFlow with NFSen
Roaming around in NetFlow
– Searched for IPs listening on 53 port to mitigate OpenResolver
– Setup threshold on traffic on 53 port both for TCP & UDP
– Looking for a specific region that uses the 53 port heavily.
– Looking for IPs that are sending 40<= bytes of PKT.
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2022-08-20 11:57:20.410 7.040 UDP 10.160.252.254:55427 -> 192.168.0.254:10032 ...... 0 4 280 0 318 70 1
2022-08-20 11:57:20.430 7.040 UDP 10.160.252.254:55429 -> 192.168.0.254:10032 ...... 0 4 280 0 318 70 1
2022-08-20 11:57:21.500 7.050 UDP 10.160.252.254:51601 -> 192.168.0.254:99032 ...... 0 4 276 0 313 69 1
2022-08-20 11:57:21.500 7.050 UDP 10.160.252.254:56961 -> 192.168.0.254:19032 ...... 0 4 276 0 313 69 1
2022-07-10 22:52:31.540 158.330 UDP 10.175.8.138:53 -> 192.168.0.254:19032 ...... 0 111 7509 0 379 67 1
2022-07-10 22:52:26.570 199.400 UDP 10.175.8.78:53 -> 192.168.0.254:20031 ...... 0 90 6123 0 245 68 1
2022-07-10 22:54:01.770 147.120 UDP 10.175.21.234:53 -> 192.168.0.254:60245 ...... 0 104 7526 0 409 72 1
2022-07-10 22:54:25.950 133.830 UDP 10.175.24.160:53 -> 192.168.0.254:8206 ...... 0 117 8018 0 479 68 1
2022-07-10 22:52:24.280 280.700 UDP 10.175.22.226:53 -> 192.168.0.254:94036 ...... 0 117 8836 0 251 75 1
2022-09-08 19:06:41.210 0.000 UDP 10.160.252.188:61902 -> 192.168.0.254:12023 ...... 0 1 45 0 0 45 1
2022-09-08 21:08:20.570 0.000 UDP 10.160.252.212:40960 -> 192.168.0.254:10046 ...... 0 1 45 0 0 45 1
2022-08-26 21:44:18.720 0.000 UDP 142.93.132.42:55433 -> 192.16.204.217:12067 ...... 72 1 28 0 0 28 1
2022-08-26 21:45:11.320 0.000 UDP 142.93.132.42:55433 -> 192.16.204.217:11057 ...... 72 1 40 0 0 40 1
2022-08-26 21:47:33.480 0.000 TCP 88.6.232.5:42671 -> 192.16.204.219:53 ....S. 40 1 40 0 0 40 1
2022-08-26 22:18:58.290 0.000 TCP 88.6.232.5:52561 -> 192.16.204.213:53 ....S. 40 1 40 0 0 40 1
2022-09-12 19:54:04.130 52.830 TCP 10.160.68.26:53 -> 192.168.0.254:55024 .AP... 0 319 349200 6 52879 1094 1
2022-09-12 20:04:27.090 1426.890 TCP 10.160.68.26:53 -> 192.168.0.254:10035 .AP... 0 245007 349.3 M 171 2.0 M 1425 1
2022-08-20 12:07:59.650 0.000 UDP 10.160.252.254:62415 -> 192.168.0.254:10014 ...... 0 2 202 0 0 101 1
2022-08-20 12:07:59.650 0.000 UDP 10.160.252.254:64165 -> 192.168.0.254:10053 ...... 0 2 202 0 0 101 1
2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:63760 -> 192.168.0.254:10123 ...... 0 2 116 0 0 58 1
2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:49521 -> 192.168.0.254:10135 ...... 0 2 198 0 0 99 1
2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:61534 -> 192.168.0.254:10145 ...... 0 2 198 0 0 99 1
2022-08-20 12:07:59.670 0.000 UDP 10.160.252.254:50694 -> 192.168.0.254:10068 ...... 0 2 192 0 0 96 1
2022-08-20 12:07:59.670 0.000 UDP 10.160.252.254:50557 -> 192.168.0.254:10037 ...... 0 2 192 0 0 96 1
2022-09-01 00:38:35.710 5.000 UDP 10.160.252.205:21343 -> 192.168.0.254:100379 ...... 0 4 1256 0 2009 314 1
2022-09-01 00:38:40.660 5.010 UDP 10.160.252.205:2500 -> 192.168.0.254:10790 ...... 0 4 976 0 1558 244 1
2022-09-01 00:38:45.710 7.960 UDP 10.160.252.205:29718 -> 192.168.0.254:10357 ...... 0 4 1256 0 1262 314 1
2022-09-01 00:38:50.670 6.440 UDP 10.160.252.205:5733 -> 192.168.0.254:23032 ...... 0 4 960 0 1192 240 1
2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:42531 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1
2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:49651 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1
2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:35340 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1
What Next? Network Traffic – NetFlow with NFSen
***Manipulated sample data
What Next? Network Traffic – span traffic with Zeek
Roaming around with Zeek
– Using existing script to find DNS activity
– Finding subdomains with random TLD and longer names.
– Finding subdomains with upper/lower/numbers
– DNS beaconing
What Next?
– With high-end Threat freed, 85%-93% of Cyber attack can be stopped with DNS
RPZ.
– Adversaries are evolving their attack tactics.
Incorporate ML/NLP to detect DGA in DNS Query log.
THANK YOU

More Related Content

What's hot

Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
Building a Zero Trust Architecture
Building a Zero Trust ArchitectureBuilding a Zero Trust Architecture
Building a Zero Trust Architecture
scoopnewsgroup
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
Larry Austin
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network Design
Conferencias FIST
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 

What's hot (20)

Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Building a Zero Trust Architecture
Building a Zero Trust ArchitectureBuilding a Zero Trust Architecture
Building a Zero Trust Architecture
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network Design
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 

Similar to 12 Years in DNS Security As a Defender

Can artificial intelligence secure your infrastructure
Can artificial intelligence secure your infrastructureCan artificial intelligence secure your infrastructure
Can artificial intelligence secure your infrastructure
A. S. M. Shamim Reza
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter
NetSecure Day
 
LISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
LISA18: Hidden Linux Metrics with Prometheus eBPF ExporterLISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
LISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
Ivan Babrou
 
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason JonesASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
arborjjones
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring System
Rofiq Fauzi
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
JUNICHI YOSHISE
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
EC-Council
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715
APNIC
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An Update
APNIC
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
HungWei Chiu
 
How Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointHow Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with Catchpoint
DevOps.com
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
Business Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical NetworksBusiness Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical Networks
Tal Lavian Ph.D.
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Digital Transformation EXPO Event Series
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Georg Knon
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
E.S.G. JR. Consulting, Inc.
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
James Anderson
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
SolarWinds
 

Similar to 12 Years in DNS Security As a Defender (20)

Can artificial intelligence secure your infrastructure
Can artificial intelligence secure your infrastructureCan artificial intelligence secure your infrastructure
Can artificial intelligence secure your infrastructure
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter
 
LISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
LISA18: Hidden Linux Metrics with Prometheus eBPF ExporterLISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
LISA18: Hidden Linux Metrics with Prometheus eBPF Exporter
 
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason JonesASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
ASERT's DDoS Malware Corral, Volume 1 by Dennis Schwarz and Jason Jones
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring System
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An Update
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
 
How Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with CatchpointHow Autodesk Delivers Seamless Customer Experience with Catchpoint
How Autodesk Delivers Seamless Customer Experience with Catchpoint
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Business Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical NetworksBusiness Model Concepts for Dynamically Provisioned Optical Networks
Business Model Concepts for Dynamically Provisioned Optical Networks
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
CCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management AutomationCCNP Data Center Centralized Management Automation
CCNP Data Center Centralized Management Automation
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
 
NPM10.5 Come See Whats New
NPM10.5 Come See Whats NewNPM10.5 Come See Whats New
NPM10.5 Come See Whats New
 

More from Bangladesh Network Operators Group

Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
Bangladesh Network Operators Group
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
Data Centre Design Consideration for Bangladesh
Data Centre Design Consideration for BangladeshData Centre Design Consideration for Bangladesh
Data Centre Design Consideration for Bangladesh
Bangladesh Network Operators Group
 
DNS Troubleshooting - Assumptions and Problem Breakdown
DNS Troubleshooting - Assumptions and Problem BreakdownDNS Troubleshooting - Assumptions and Problem Breakdown
DNS Troubleshooting - Assumptions and Problem Breakdown
Bangladesh Network Operators Group
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
Bangladesh Network Operators Group
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
Bangladesh Network Operators Group
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
Bangladesh Network Operators Group
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
Bangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)Maximizing Network Efficiency with Large Language Models (LLM)
Maximizing Network Efficiency with Large Language Models (LLM)
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
Data Centre Design Consideration for Bangladesh
Data Centre Design Consideration for BangladeshData Centre Design Consideration for Bangladesh
Data Centre Design Consideration for Bangladesh
 
DNS Troubleshooting - Assumptions and Problem Breakdown
DNS Troubleshooting - Assumptions and Problem BreakdownDNS Troubleshooting - Assumptions and Problem Breakdown
DNS Troubleshooting - Assumptions and Problem Breakdown
 
Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
Enhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfedEnhancing seamless access using TIGERfed
Enhancing seamless access using TIGERfed
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 

Recently uploaded

Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
Preston University
 
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO CompanyMobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
SIB Infotech
 
New York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offerNew York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offer
ubovu
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
diogolsew
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Edward Blurock
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
exchangeid32
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
yilin01100
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
JunaManroe1
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
Shrestha Raaz
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
Edward Blurock
 
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
QingjieDu1
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
eufdev
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
AshishMohan57
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 

Recently uploaded (20)

Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
Study of international anticancer research trends.pdf
Study of international anticancer research trends.pdfStudy of international anticancer research trends.pdf
Study of international anticancer research trends.pdf
 
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO CompanyMobile SEO India | Mobile SEO Service | Mobile SEO Company
Mobile SEO India | Mobile SEO Service | Mobile SEO Company
 
New York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offerNew York Institute of Technology degree Cert diploma offer
New York Institute of Technology degree Cert diploma offer
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
 
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In IndiaLordsexch ID: An Ultimate Online Cricket ID Provider In India
Lordsexch ID: An Ultimate Online Cricket ID Provider In India
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
 
Week 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docxWeek 1 - Pendidikan Pancasila - Gr 1.docx
Week 1 - Pendidikan Pancasila - Gr 1.docx
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
Best CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web DevelopersBest CSS Animation Libraries for Web Developers
Best CSS Animation Libraries for Web Developers
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
 
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
SisAi World - Software is AI - Providing AI as Software - Protecting the Inte...
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
University of California, Riverside diploma
University of California, Riverside diplomaUniversity of California, Riverside diploma
University of California, Riverside diploma
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 

12 Years in DNS Security As a Defender

  • 1. 12 Years in DNS Security As a Defender A. S. M. Shamim Reza bdNOG 15 Dhaka 09-12 December, 2022
  • 2. [~]$whoami|– 12+ years worked at ISP – Chief Technology Officer, Pipeline Inc. – Community Trainer, APNIC @asmshamimreza on Linkedin @shamimrezasohag on Twitter
  • 3. What is DNS? DNS Domain Name System Inventor Dr. Paul Mockapetris Year 1983 RFC 882 & 883 Port 53 TCP/UDP Place University of Southern California’s Information Sciences Institute “I designed the DNS so that the name- space could be anything you wanted it to be.” – Dr. Paul Mockapetris
  • 5. Attacker likes DNS 91.3% of malware uses DNS in attacks 68% of Organization don't monitor DNS
  • 6. Cyber Attacks on DNS Attacks using DNS Server Reflection Attack DNS Tunneling DGA Command & Control Attacks that Target DNS Server DDoS Recursive Query Attacks Cache Poisoning Attacks Buffer overflow Port Scan
  • 7. Stat on 53 port – Bangladesh Listening IPs 64,576
  • 9. Observing DDoS Findings Mitigation Technique? Authoritative & Recursive service at the same system Separated them into different Hosts Service was running with Same OS and Bind service Migrated with BIND+CentOS & Unbound+FreeBSD Recursive resolver was Central Deployed IP Anycast for Recursive DNS in multiple region. Initial goal was to increase service availability
  • 10. Observing DDoS – additional steps – OS installation was practice with Minimal ISO. – Allowed only required service port. – Practiced IP ACL on remote access at Host based firewall. – Imposed IP ACL on DNS service configuration. – Disabled service version exposer. – Automatic update on OS Kernel, packages and patches. – BIND configured with CHROOT.
  • 11. Looking for other Attacks? increase insights – Started log storing – CLI based analytic – BIND Stats visualization Log File Category Definition: category default { default_file; }; category general { general_file; }; category database { database_file; }; category security { security_file; }; category config { config_file; }; category resolver { resolver_file; }; category xfer-out { xfer-out_file; }; category notify { notify_file; }; category client { client_file; }; category unmatched { unmatched_file; }; category queries { queries_file; }; category network { network_file; }; category update { update_file; }; category dispatch { dispatch_file; }; category dnssec { dnssec_file; }; category lame-servers { lame-servers_file; };
  • 12. Looking for other Attacks? increase insights – Started log storing – CLI based analytic – BIND Stats visualization – Used DNSTOP for automated Stats check from CLI – DNSTOP can be used in all the Linux variants. – In addition we have used generic utilities from the CLI to get the summary. # cat query.log | cut -d " " -f 10 | sort | uniq -c | sort -n 23506 www.google.com 26679 imgcdn.ptvcdn.net 28539 outlook.office.com 47835 dns.google 100117 time-c.timefreq.bldrdoc.gov 100533 time-b.timefreq.bldrdoc.gov 101298 time-a.timefreq.bldrdoc.gov # cat query.log | cut -d " " -f 10 | cut -d "." -f "2-3" | sort | uniq -c | sort -n 31836 office.com 36193 ms-acdc.office 39567 events.data 42475 google.com 47835 google 301948 timefreq.bldrdoc
  • 13. Looking for other Attacks? increase insights – Started log storing – CLI based analytic – BIND Stats visualization – With the CLI based check, we face few challenges as the log volume was increasing day by day. – time consuming – repetitive task for the same activity (scripting wasnt helping) Deployed Grafana eco-system to get all the Stats + logs and then visualized. Focused was to get all the insights on NXDOMAIN.
  • 14. Looking beyond NXDOMAIN! – Observed overall pattern of NXDOMAIN across the DNS infra – Few zones crosses the threshold on a specific time in max of cases – Log shows C&C communication in a few cases, decided to dig deep for NXDOMAIN – Installed Suricata NIDS in the DNS Infra and start monitoring the activity
  • 15. Including active Defense! – The outcome of the analysis, after incorporating Suricata, was enormous. – To overcome the issue, plan to deploy DNS RPZ
  • 17. What Next? Network Traffic – NetFlow with NFSen Roaming around in NetFlow – Searched for IPs listening on 53 port to mitigate OpenResolver – Setup threshold on traffic on 53 port both for TCP & UDP – Looking for a specific region that uses the 53 port heavily. – Looking for IPs that are sending 40<= bytes of PKT.
  • 18. Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2022-08-20 11:57:20.410 7.040 UDP 10.160.252.254:55427 -> 192.168.0.254:10032 ...... 0 4 280 0 318 70 1 2022-08-20 11:57:20.430 7.040 UDP 10.160.252.254:55429 -> 192.168.0.254:10032 ...... 0 4 280 0 318 70 1 2022-08-20 11:57:21.500 7.050 UDP 10.160.252.254:51601 -> 192.168.0.254:99032 ...... 0 4 276 0 313 69 1 2022-08-20 11:57:21.500 7.050 UDP 10.160.252.254:56961 -> 192.168.0.254:19032 ...... 0 4 276 0 313 69 1 2022-07-10 22:52:31.540 158.330 UDP 10.175.8.138:53 -> 192.168.0.254:19032 ...... 0 111 7509 0 379 67 1 2022-07-10 22:52:26.570 199.400 UDP 10.175.8.78:53 -> 192.168.0.254:20031 ...... 0 90 6123 0 245 68 1 2022-07-10 22:54:01.770 147.120 UDP 10.175.21.234:53 -> 192.168.0.254:60245 ...... 0 104 7526 0 409 72 1 2022-07-10 22:54:25.950 133.830 UDP 10.175.24.160:53 -> 192.168.0.254:8206 ...... 0 117 8018 0 479 68 1 2022-07-10 22:52:24.280 280.700 UDP 10.175.22.226:53 -> 192.168.0.254:94036 ...... 0 117 8836 0 251 75 1 2022-09-08 19:06:41.210 0.000 UDP 10.160.252.188:61902 -> 192.168.0.254:12023 ...... 0 1 45 0 0 45 1 2022-09-08 21:08:20.570 0.000 UDP 10.160.252.212:40960 -> 192.168.0.254:10046 ...... 0 1 45 0 0 45 1 2022-08-26 21:44:18.720 0.000 UDP 142.93.132.42:55433 -> 192.16.204.217:12067 ...... 72 1 28 0 0 28 1 2022-08-26 21:45:11.320 0.000 UDP 142.93.132.42:55433 -> 192.16.204.217:11057 ...... 72 1 40 0 0 40 1 2022-08-26 21:47:33.480 0.000 TCP 88.6.232.5:42671 -> 192.16.204.219:53 ....S. 40 1 40 0 0 40 1 2022-08-26 22:18:58.290 0.000 TCP 88.6.232.5:52561 -> 192.16.204.213:53 ....S. 40 1 40 0 0 40 1 2022-09-12 19:54:04.130 52.830 TCP 10.160.68.26:53 -> 192.168.0.254:55024 .AP... 0 319 349200 6 52879 1094 1 2022-09-12 20:04:27.090 1426.890 TCP 10.160.68.26:53 -> 192.168.0.254:10035 .AP... 0 245007 349.3 M 171 2.0 M 1425 1 2022-08-20 12:07:59.650 0.000 UDP 10.160.252.254:62415 -> 192.168.0.254:10014 ...... 0 2 202 0 0 101 1 2022-08-20 12:07:59.650 0.000 UDP 10.160.252.254:64165 -> 192.168.0.254:10053 ...... 0 2 202 0 0 101 1 2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:63760 -> 192.168.0.254:10123 ...... 0 2 116 0 0 58 1 2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:49521 -> 192.168.0.254:10135 ...... 0 2 198 0 0 99 1 2022-08-20 12:07:59.660 0.000 UDP 10.160.252.254:61534 -> 192.168.0.254:10145 ...... 0 2 198 0 0 99 1 2022-08-20 12:07:59.670 0.000 UDP 10.160.252.254:50694 -> 192.168.0.254:10068 ...... 0 2 192 0 0 96 1 2022-08-20 12:07:59.670 0.000 UDP 10.160.252.254:50557 -> 192.168.0.254:10037 ...... 0 2 192 0 0 96 1 2022-09-01 00:38:35.710 5.000 UDP 10.160.252.205:21343 -> 192.168.0.254:100379 ...... 0 4 1256 0 2009 314 1 2022-09-01 00:38:40.660 5.010 UDP 10.160.252.205:2500 -> 192.168.0.254:10790 ...... 0 4 976 0 1558 244 1 2022-09-01 00:38:45.710 7.960 UDP 10.160.252.205:29718 -> 192.168.0.254:10357 ...... 0 4 1256 0 1262 314 1 2022-09-01 00:38:50.670 6.440 UDP 10.160.252.205:5733 -> 192.168.0.254:23032 ...... 0 4 960 0 1192 240 1 2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:42531 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1 2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:49651 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1 2022-10-02 00:09:22.800 0.000 UDP 10.111.186.85:35340 -> 192.168.0.254:53 ...... 192 1 160 0 0 160 1 What Next? Network Traffic – NetFlow with NFSen ***Manipulated sample data
  • 19. What Next? Network Traffic – span traffic with Zeek Roaming around with Zeek – Using existing script to find DNS activity – Finding subdomains with random TLD and longer names. – Finding subdomains with upper/lower/numbers – DNS beaconing
  • 20. What Next? – With high-end Threat freed, 85%-93% of Cyber attack can be stopped with DNS RPZ. – Adversaries are evolving their attack tactics. Incorporate ML/NLP to detect DGA in DNS Query log.