SlideShare a Scribd company logo
Monetize the Noise: How Naming data
junk became a security data treasure
Paul Sitowitz & Scott King Walker
September 28th, 2015
Verisign Confidential and Proprietary
Reduce, Reuse, Recycle
2
• Restore
• Repurpose
• Remake
• Reinvent
• Reimagine
Image by Jakub Jankiewicz (jcubic / Kuba)
(Open Clip Art Library, detail page) CC0, via
Wikimedia Commons
Verisign Confidential and Proprietary
Noise, Noise, Noise, and Pigeon Droppings
• Excerpt is from: Wired Magazine, “Accept Defeat: The
Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09.
• http://www.wired.com/2009/12/fail_accept_defeat/
3
Verisign Confidential and Proprietary
Junk & Noise
• These are the unwanted things that we usually discard or
else try to block out
• Junk
• Trash
• Unused items
• Not needed items
• Useless items
• Not liked items
• Noise
• Loud sounds
• Interference
• Malicious signals
• Harmful irritants
• Bad smells
4
Verisign Confidential and Proprietary
Noise in our Data
• "Photon-noise" by Mdf - Photon-noise.jpg. Licensed under CC BY-SA 3.0 via Wikimedia Commons -
https://commons.wikimedia.org/wiki/File:Photon-noise.jpg#/media/File:Photon-noise.jpg
5
Verisign Confidential and Proprietary
Data Analyzer, and Signal from Noise
• YXD
• NXD
• Resolution Success = Signal
• Resolution Failure = Noise (or does it?)
• The Data Analyzer product is based on
finding signal in this noise.
6
Verisign Confidential and Proprietary
Looking at NXDs
• When a Name Server can not resolve a domain, an NXD
response is returned
• This data is typically discarded as “junk”
• Data Analyzer analyzes this data to identify domains
• with sufficient traffic
• requested during business hours
• requested from specific locations around the world
• … and many other desirable characteristics (like clickable traffic)
• We rate and score these NXDs (from 1 to 10) and allow
our customers to query them
7
Verisign Confidential and Proprietary
NXD Domains
• Sample of NXDs with sufficient traffic (according to DA):
• GENTLEMANMILLION.NET
• CDSYHD.NET
• SILVERHORSETRADER
• A2VERISIGNDNS.COM
• SARAH.COM
• 3RDBILLION.NET
• XN--JJEEP-3F5FW08B.COM
• PAULHUNTHOMES.COM
• CAT-HUSE
• SCOTTSTORAGE2.COM
• MANNYSGOLFWORLD.COM
8
Verisign Confidential and Proprietary
EDAS Record Format
• The NXD DNS traffic data available to Verisign is stored in
the EDAS record format
• A single EDAS formatted record contains:
• The Requesting IP (recursive name server)
• The Requested Domain including TLD (up to 3rd level)
• The time of day that the request was made
• The Site name were they request was received
• The DNS Record Type for the request (typically A and AAAA)
9
Verisign Confidential and Proprietary
Big Data
• NXD request data is captured by the Traffic Monitoring
team from our Edge sites for COM/NET/CC/TV
• Comprises 90% of NXD traffic
• The data is then ingested into the VSCC
• an average of 300 Gigabytes each day
• Data Analyzer allows customers to query up to 26 weeks
of raw NXD data
• That’s 42.2 Terabytes of data needed by a single
customer query
• If we factor in a 3X replication model used by the VSCC at
both the BRN and ILG sites, that adds up to about 250
Terabytes of raw storage!!!
10
Verisign Confidential and Proprietary
Query Processing Time
• A 26 week queryon raw NXD data can take more than 8
hours to complete
• And that’s running across more than a hundred powerful
data node machines in the VSCC
• With this in mind, the Data Analyzer product also stores
60 days of aggregated data for our Complete Index in
order to add more value with less time needed to produce
results
• Our indexes take a few hours every night to build
• This index based data supports very flexible filter based
queries
11
Verisign Confidential and Proprietary
Noisy Data
• With so much data comes the potential for a lot of noise:
• But what kinds of noise?
• How much noise?
• How can we find this noise?
12
Verisign Confidential and Proprietary
Finding Noise in the NXD Data - Sample 100K
13
0
10000
20000
30000
40000
50000
60000
70000
80000 1
2327
4653
6979
9305
11631
13957
16283
18609
20935
23261
25587
27913
30239
32565
34891
37217
39543
41869
44195
46521
48847
51173
53499
55825
58151
60477
62803
65129
67455
69781
72107
74433
76759
79085
81411
83737
86063
88389
90715
93041
95367
97693
Classic hockey stick pattern, very dramatic, but nothing to see here. Right?
Verisign Confidential and Proprietary
Top 1K NXD domains from 100K Sample
14
0
10000
20000
30000
40000
50000
60000
70000
80000 1
24
47
70
93
116
139
162
185
208
231
254
277
300
323
346
369
392
415
438
461
484
507
530
553
576
599
622
645
668
691
714
737
760
783
806
829
852
875
898
921
944
967
990
“Gap” – No domains with request frequencies between 9918 and 2820 in sample.
Verisign Confidential and Proprietary
The Spike
• The large “spike” in the previous graphs show an
unusually large number of NXD requests
• Do we give these NXDs real high scores since they get
lots of traffic?
• Or is this just plain noise in our data that we should
discard?
• It also turns out that these large requests also exhibit
similar request traffic patterns
• We believe that these requests are from “Botnets”
15
Verisign Confidential and Proprietary
The Botnet Problem
Traffic from Botnets is:
• Automatic, behind the scenes Traffic
• From infected computers
• Algorithmically generated based on time/date
Traffic from Botnets can be detected by:
• High traffic levels from consistent sets of recursive name servers
• Lack of traffic from other name servers
16
0
10000
20000
30000
40000
50000
60000
70000
80000
1
37
73
109
145
181
217
253
289
325
361
397
433
469
505
541
577
613
649
685
721
757
793
829
865
901
937
973
Verisign Confidential and Proprietary
What Are Botnets
• Enable most sophisticated and popular types of
cybercrime today
• They allow hackers to take control of many computers at
a time which operate as part of a powerful "botnet”
• Many of these computers are infected without their
owners knowledge
• Bots often spread themselves across the Internet by
infecting unprotected computers
• Their goal is to stay hidden until they are instructed to
carry out a task by a Command and Control server
17
Verisign Confidential and Proprietary
About Botnets
• Botnets use an algorithm for generating domain names to
make it difficult to identify. While many may be NXDs,
some are not
• These Botnet domains, if registered, would connect a
Botnet to a Command and Control server that issues
instructions to commit attacks
• Botnets are just “zombie” machines without C&C servers
to tell then what to do
18
Verisign Confidential and Proprietary
Botnet Detection
• NXDs with very large amounts of traffic and that exhibit
similar traffic patterns are most likely NOT requested by
humans
• These domains are classified by the Botnet Detection
Service (BDS) as “suspicious” and the requests are
considered to be from “botnets”:
19
CDSYHD.NET
A2VERISIGNDNS.COM
3RDBILLION.NET
PAULHUNTHOMES.COM
SCOTTSTORAGE2.COM
GENTLEMANMILLION.NET
CDSYHD.NET
SILVERHORSETRADER
A2VERISIGNDNS.COM
SARAH.COM
3RDBILLION.NET
XN--JJEEP-3F5FW08B.COM
PAULHUNTHOMES.COM
CAT-HUSE
SCOTTSTORAGE2.COM
MANNYSGOLFWORLD.COM
Verisign Confidential and Proprietary
About BDS
• Implemented using Hadoop streaming and the Mahout
machine learning library
• Identifies similar NXD traffic patterns across many
different name servers
• Runs once a day at 4:30pm EST
• Analyzes 1 day of NXD data for COM/NET/CC/TV and
produces a “suspicious” domains list
• Collects the past 60 days of suspicious domains and
publishes the unique collection to an HDFS folder in the
VSCC
• Exposed to other products via a DAG data retrieval API
20
Verisign Confidential and Proprietary
A Patented Technology
• https://www.google.com/patents/US8745737
21
Verisign Confidential and Proprietary
DA Use Case of BDS
• Prevent promotion of these suspicious domains to our
customers
• Provides two major benefits:
• Customers benefit by not registering domains with high traffic that
won’t see human traffic
• System efficiency benefit of less domains to query from
22
Verisign Confidential and Proprietary
Monetize the Noise
• Remember that “One engineer’s noise is another
engineer’s signal.”
• The effort to make use of the BDS data earlier this year
started with a joke of an idea. It was something like: “If
we know what domains the infected computers are
looking for, we could register those domains, take over
their botnets and use them for ourselves!”.
• (Probably not really, because they tend to use encrypted
instructions to prevent this, but maybe.)
23
Verisign Confidential and Proprietary
Monetize the Noise
This silly starting point lead down a list of other options:
• Prevent the registration of these domains to clean up
.COM and .NET
• Sell the data to a security company so they could pay to
block traffic to these domains.
• Use the data itself to target the companies that most
desperately need the blocking service.
24
Verisign Confidential and Proprietary
How the connection happened
• Eventually, we found a security company interested. You
may have heard of them… Verisign.
• Paul had a discussion about BDS with Jim Gould who
asked him to present it at a PESAB meeting. That lead to
an engineering to engineering discussion about the
usefulness to the security side of the business.
• Once the engineering feasibility was in place, we had their
product people talk to our product people, and the security
use of the data was quickly approved.
• Takeaway is: “Don’t let the organizational structure stand
in the way of a good use for your data.”
25
Verisign Confidential and Proprietary
Current Usage
• Data Analyzer uses these domains as a “black list” to filter
them out of our indexes to prevent us from ever returning
to our customers in order to help prevent potential
registration
• Recursive DNS uses these to ensure that resolution
requests for them are ignored to prevent potential “botnet”
transmissions
• How else might we use the suspicious Botnet domain list?
26
Verisign Confidential and Proprietary
Future work
• BDS data from DA could be used in several ways within
the company to improve security products. Blocking
traffic within the Recursive service is just one use.
• How about:
• Selling BDS data feed as a standalone or add-on security product.
• Using traffic to BDS domains to prioritize Recursive sales leads.
• Using BDS domains within a Recursive appliance to identify
infected computers on a network. (Don’t just block, disinfect!)
27
Verisign Confidential and Proprietary
Going Further
• block the registration of these suspected domains in Core
• use the registration attempts to identify criminals
• While our Botnet domain list only comprises
COM/NET/CC/TV domains, we can use BDS for other
TLDs
• Maybe a service we could provide to other registries
28
Verisign Confidential and Proprietary
Botnet Domains And Request Information
29
Verisign Confidential and Proprietary
Digging Deeper
30
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
243.10.19 2354 AS15169
111.48.23 3487 AS20013
5.298.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
243.10.19 2354 AS15169
111.48.23 3487 AS20013
5.228.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
225.10.19 2354 AS15169
111.48.23 3487 AS20013
5.228.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
Verisign Confidential and Proprietary
Infection Detection
• With the help from a Recursive Server appliance that
captures the IPs of the original requests
• We can track back from the Recursive server to the actual “Bots!”
• If we can find these Bots then we can help to shut them down
• Another possibility might be to include the IP of the actual
requesting machines inside the DNS messages using the
EDNS0 - Extension mechanisms for DNS
• Allow for storing more information in DNS messages
• Is currently used in about 10% of DNS messages to enable things
like GEO location
31
Verisign Confidential and Proprietary
Information Gathering
• So far, since the suspected domains have all been NXDs,
the intended C&C servers have not yet been registered
• We can use BDS to identify suspected domains based on
YXD traffic data that point to real, live C&C servers
• While the BDS algorithm would definitely work on YXD
data, we might have some challenges:
• TTL based caching by resolvers
• Frequent IP switching for C&C server domains to avoid detection
32
Verisign Confidential and Proprietary
Taking Down C&C servers
• If we can identify the domains for suspected live C&C
servers, perhaps we can:
• Block DNS resolution on EDGE and Electra servers
• Use ‘Core” to suspend the registration for these domains so they
appear “out of zone”
• Fine registrars
• Go after domain owners
• While a service to the entire internet, there most likely
would be legal implications in any of the above
33
Verisign Confidential and Proprietary
Room For Improvement
• While a great service, BDS does help out with Botnet
transmissions that are NOT DNS based
• add support for IPV6 traffic
• add monitoring to track the rate of false positives
• use for analyzing traffic data for other TLDs
• use for analyzing YXD traffic data
• Potentially look at additional data points in the AVRO
summary feed currently used by the Real-Time cluster
(RTC) and soon to be used as a replacement for the
existing Traffic Monitor feed (end Q2 next year)
• Will also include traffic data from our Electra sites
• And the missing 10% of NXD traffic data!
34
Verisign Confidential and Proprietary
Eureka!
• Excerpt is from: Wired Magazine, “Accept Defeat: The
Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09.
• http://www.wired.com/2009/12/fail_accept_defeat/
35
Verisign Confidential and Proprietary
Takeaways
• Your Noise could be MY signal
• Reimagine and Reuse & Find reasons to Keep more of
your data
• Find more Value & Throw more effectively
• Don’t let the organization stand in the way
36
© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of
VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

More Related Content

Similar to Data Junk VTS Prez - 20150925-3

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
Deploy360 Programme (Internet Society)
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
Nathan Wallace, PhD, PE
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
Aniekan Akpaffiong
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
Neil Lines
 
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC SolutionsInternet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
Triad Semiconductor
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
Ride the Light
Ride the LightRide the Light
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
Saumil Shah
 
Mining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVDMining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVD
Loren Gordon
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
CCTV in the CLOUD
CCTV in the CLOUDCCTV in the CLOUD
CCTV in the CLOUD
Riccardo Mazzurco
 

Similar to Data Junk VTS Prez - 20150925-3 (20)

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
IoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the InternetIoT Security: How Your TV and Thermostat are Attacking the Internet
IoT Security: How Your TV and Thermostat are Attacking the Internet
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Internet of Things
Internet of ThingsInternet of Things
Internet of Things
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC SolutionsInternet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC Solutions
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
Ride the Light
Ride the LightRide the Light
Ride the Light
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
 
Mining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVDMining software vulns in SCCM / NIST's NVD
Mining software vulns in SCCM / NIST's NVD
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
CCTV in the CLOUD
CCTV in the CLOUDCCTV in the CLOUD
CCTV in the CLOUD
 

Data Junk VTS Prez - 20150925-3

  • 1. Monetize the Noise: How Naming data junk became a security data treasure Paul Sitowitz & Scott King Walker September 28th, 2015
  • 2. Verisign Confidential and Proprietary Reduce, Reuse, Recycle 2 • Restore • Repurpose • Remake • Reinvent • Reimagine Image by Jakub Jankiewicz (jcubic / Kuba) (Open Clip Art Library, detail page) CC0, via Wikimedia Commons
  • 3. Verisign Confidential and Proprietary Noise, Noise, Noise, and Pigeon Droppings • Excerpt is from: Wired Magazine, “Accept Defeat: The Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09. • http://www.wired.com/2009/12/fail_accept_defeat/ 3
  • 4. Verisign Confidential and Proprietary Junk & Noise • These are the unwanted things that we usually discard or else try to block out • Junk • Trash • Unused items • Not needed items • Useless items • Not liked items • Noise • Loud sounds • Interference • Malicious signals • Harmful irritants • Bad smells 4
  • 5. Verisign Confidential and Proprietary Noise in our Data • "Photon-noise" by Mdf - Photon-noise.jpg. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Photon-noise.jpg#/media/File:Photon-noise.jpg 5
  • 6. Verisign Confidential and Proprietary Data Analyzer, and Signal from Noise • YXD • NXD • Resolution Success = Signal • Resolution Failure = Noise (or does it?) • The Data Analyzer product is based on finding signal in this noise. 6
  • 7. Verisign Confidential and Proprietary Looking at NXDs • When a Name Server can not resolve a domain, an NXD response is returned • This data is typically discarded as “junk” • Data Analyzer analyzes this data to identify domains • with sufficient traffic • requested during business hours • requested from specific locations around the world • … and many other desirable characteristics (like clickable traffic) • We rate and score these NXDs (from 1 to 10) and allow our customers to query them 7
  • 8. Verisign Confidential and Proprietary NXD Domains • Sample of NXDs with sufficient traffic (according to DA): • GENTLEMANMILLION.NET • CDSYHD.NET • SILVERHORSETRADER • A2VERISIGNDNS.COM • SARAH.COM • 3RDBILLION.NET • XN--JJEEP-3F5FW08B.COM • PAULHUNTHOMES.COM • CAT-HUSE • SCOTTSTORAGE2.COM • MANNYSGOLFWORLD.COM 8
  • 9. Verisign Confidential and Proprietary EDAS Record Format • The NXD DNS traffic data available to Verisign is stored in the EDAS record format • A single EDAS formatted record contains: • The Requesting IP (recursive name server) • The Requested Domain including TLD (up to 3rd level) • The time of day that the request was made • The Site name were they request was received • The DNS Record Type for the request (typically A and AAAA) 9
  • 10. Verisign Confidential and Proprietary Big Data • NXD request data is captured by the Traffic Monitoring team from our Edge sites for COM/NET/CC/TV • Comprises 90% of NXD traffic • The data is then ingested into the VSCC • an average of 300 Gigabytes each day • Data Analyzer allows customers to query up to 26 weeks of raw NXD data • That’s 42.2 Terabytes of data needed by a single customer query • If we factor in a 3X replication model used by the VSCC at both the BRN and ILG sites, that adds up to about 250 Terabytes of raw storage!!! 10
  • 11. Verisign Confidential and Proprietary Query Processing Time • A 26 week queryon raw NXD data can take more than 8 hours to complete • And that’s running across more than a hundred powerful data node machines in the VSCC • With this in mind, the Data Analyzer product also stores 60 days of aggregated data for our Complete Index in order to add more value with less time needed to produce results • Our indexes take a few hours every night to build • This index based data supports very flexible filter based queries 11
  • 12. Verisign Confidential and Proprietary Noisy Data • With so much data comes the potential for a lot of noise: • But what kinds of noise? • How much noise? • How can we find this noise? 12
  • 13. Verisign Confidential and Proprietary Finding Noise in the NXD Data - Sample 100K 13 0 10000 20000 30000 40000 50000 60000 70000 80000 1 2327 4653 6979 9305 11631 13957 16283 18609 20935 23261 25587 27913 30239 32565 34891 37217 39543 41869 44195 46521 48847 51173 53499 55825 58151 60477 62803 65129 67455 69781 72107 74433 76759 79085 81411 83737 86063 88389 90715 93041 95367 97693 Classic hockey stick pattern, very dramatic, but nothing to see here. Right?
  • 14. Verisign Confidential and Proprietary Top 1K NXD domains from 100K Sample 14 0 10000 20000 30000 40000 50000 60000 70000 80000 1 24 47 70 93 116 139 162 185 208 231 254 277 300 323 346 369 392 415 438 461 484 507 530 553 576 599 622 645 668 691 714 737 760 783 806 829 852 875 898 921 944 967 990 “Gap” – No domains with request frequencies between 9918 and 2820 in sample.
  • 15. Verisign Confidential and Proprietary The Spike • The large “spike” in the previous graphs show an unusually large number of NXD requests • Do we give these NXDs real high scores since they get lots of traffic? • Or is this just plain noise in our data that we should discard? • It also turns out that these large requests also exhibit similar request traffic patterns • We believe that these requests are from “Botnets” 15
  • 16. Verisign Confidential and Proprietary The Botnet Problem Traffic from Botnets is: • Automatic, behind the scenes Traffic • From infected computers • Algorithmically generated based on time/date Traffic from Botnets can be detected by: • High traffic levels from consistent sets of recursive name servers • Lack of traffic from other name servers 16 0 10000 20000 30000 40000 50000 60000 70000 80000 1 37 73 109 145 181 217 253 289 325 361 397 433 469 505 541 577 613 649 685 721 757 793 829 865 901 937 973
  • 17. Verisign Confidential and Proprietary What Are Botnets • Enable most sophisticated and popular types of cybercrime today • They allow hackers to take control of many computers at a time which operate as part of a powerful "botnet” • Many of these computers are infected without their owners knowledge • Bots often spread themselves across the Internet by infecting unprotected computers • Their goal is to stay hidden until they are instructed to carry out a task by a Command and Control server 17
  • 18. Verisign Confidential and Proprietary About Botnets • Botnets use an algorithm for generating domain names to make it difficult to identify. While many may be NXDs, some are not • These Botnet domains, if registered, would connect a Botnet to a Command and Control server that issues instructions to commit attacks • Botnets are just “zombie” machines without C&C servers to tell then what to do 18
  • 19. Verisign Confidential and Proprietary Botnet Detection • NXDs with very large amounts of traffic and that exhibit similar traffic patterns are most likely NOT requested by humans • These domains are classified by the Botnet Detection Service (BDS) as “suspicious” and the requests are considered to be from “botnets”: 19 CDSYHD.NET A2VERISIGNDNS.COM 3RDBILLION.NET PAULHUNTHOMES.COM SCOTTSTORAGE2.COM GENTLEMANMILLION.NET CDSYHD.NET SILVERHORSETRADER A2VERISIGNDNS.COM SARAH.COM 3RDBILLION.NET XN--JJEEP-3F5FW08B.COM PAULHUNTHOMES.COM CAT-HUSE SCOTTSTORAGE2.COM MANNYSGOLFWORLD.COM
  • 20. Verisign Confidential and Proprietary About BDS • Implemented using Hadoop streaming and the Mahout machine learning library • Identifies similar NXD traffic patterns across many different name servers • Runs once a day at 4:30pm EST • Analyzes 1 day of NXD data for COM/NET/CC/TV and produces a “suspicious” domains list • Collects the past 60 days of suspicious domains and publishes the unique collection to an HDFS folder in the VSCC • Exposed to other products via a DAG data retrieval API 20
  • 21. Verisign Confidential and Proprietary A Patented Technology • https://www.google.com/patents/US8745737 21
  • 22. Verisign Confidential and Proprietary DA Use Case of BDS • Prevent promotion of these suspicious domains to our customers • Provides two major benefits: • Customers benefit by not registering domains with high traffic that won’t see human traffic • System efficiency benefit of less domains to query from 22
  • 23. Verisign Confidential and Proprietary Monetize the Noise • Remember that “One engineer’s noise is another engineer’s signal.” • The effort to make use of the BDS data earlier this year started with a joke of an idea. It was something like: “If we know what domains the infected computers are looking for, we could register those domains, take over their botnets and use them for ourselves!”. • (Probably not really, because they tend to use encrypted instructions to prevent this, but maybe.) 23
  • 24. Verisign Confidential and Proprietary Monetize the Noise This silly starting point lead down a list of other options: • Prevent the registration of these domains to clean up .COM and .NET • Sell the data to a security company so they could pay to block traffic to these domains. • Use the data itself to target the companies that most desperately need the blocking service. 24
  • 25. Verisign Confidential and Proprietary How the connection happened • Eventually, we found a security company interested. You may have heard of them… Verisign. • Paul had a discussion about BDS with Jim Gould who asked him to present it at a PESAB meeting. That lead to an engineering to engineering discussion about the usefulness to the security side of the business. • Once the engineering feasibility was in place, we had their product people talk to our product people, and the security use of the data was quickly approved. • Takeaway is: “Don’t let the organizational structure stand in the way of a good use for your data.” 25
  • 26. Verisign Confidential and Proprietary Current Usage • Data Analyzer uses these domains as a “black list” to filter them out of our indexes to prevent us from ever returning to our customers in order to help prevent potential registration • Recursive DNS uses these to ensure that resolution requests for them are ignored to prevent potential “botnet” transmissions • How else might we use the suspicious Botnet domain list? 26
  • 27. Verisign Confidential and Proprietary Future work • BDS data from DA could be used in several ways within the company to improve security products. Blocking traffic within the Recursive service is just one use. • How about: • Selling BDS data feed as a standalone or add-on security product. • Using traffic to BDS domains to prioritize Recursive sales leads. • Using BDS domains within a Recursive appliance to identify infected computers on a network. (Don’t just block, disinfect!) 27
  • 28. Verisign Confidential and Proprietary Going Further • block the registration of these suspected domains in Core • use the registration attempts to identify criminals • While our Botnet domain list only comprises COM/NET/CC/TV domains, we can use BDS for other TLDs • Maybe a service we could provide to other registries 28
  • 29. Verisign Confidential and Proprietary Botnet Domains And Request Information 29
  • 30. Verisign Confidential and Proprietary Digging Deeper 30 Subnet Total Requests ASN 12.45.69 1350 AS8075 243.10.19 2354 AS15169 111.48.23 3487 AS20013 5.298.43 7812 AS13238 189.165.221 2834 AS30083 17.12.187 12128 AS15169 Country US US CH FR NL US Total Unique Recursives 23 12 56 5 134 45 View Recursives Subnet Total Requests ASN 12.45.69 1350 AS8075 243.10.19 2354 AS15169 111.48.23 3487 AS20013 5.228.43 7812 AS13238 189.165.221 2834 AS30083 17.12.187 12128 AS15169 Country US US CH FR NL US Total Unique Recursives 23 12 56 5 134 45 View Recursives Subnet Total Requests ASN 12.45.69 1350 AS8075 225.10.19 2354 AS15169 111.48.23 3487 AS20013 5.228.43 7812 AS13238 189.165.221 2834 AS30083 17.12.187 12128 AS15169 Country US US CH FR NL US Total Unique Recursives 23 12 56 5 134 45 View Recursives
  • 31. Verisign Confidential and Proprietary Infection Detection • With the help from a Recursive Server appliance that captures the IPs of the original requests • We can track back from the Recursive server to the actual “Bots!” • If we can find these Bots then we can help to shut them down • Another possibility might be to include the IP of the actual requesting machines inside the DNS messages using the EDNS0 - Extension mechanisms for DNS • Allow for storing more information in DNS messages • Is currently used in about 10% of DNS messages to enable things like GEO location 31
  • 32. Verisign Confidential and Proprietary Information Gathering • So far, since the suspected domains have all been NXDs, the intended C&C servers have not yet been registered • We can use BDS to identify suspected domains based on YXD traffic data that point to real, live C&C servers • While the BDS algorithm would definitely work on YXD data, we might have some challenges: • TTL based caching by resolvers • Frequent IP switching for C&C server domains to avoid detection 32
  • 33. Verisign Confidential and Proprietary Taking Down C&C servers • If we can identify the domains for suspected live C&C servers, perhaps we can: • Block DNS resolution on EDGE and Electra servers • Use ‘Core” to suspend the registration for these domains so they appear “out of zone” • Fine registrars • Go after domain owners • While a service to the entire internet, there most likely would be legal implications in any of the above 33
  • 34. Verisign Confidential and Proprietary Room For Improvement • While a great service, BDS does help out with Botnet transmissions that are NOT DNS based • add support for IPV6 traffic • add monitoring to track the rate of false positives • use for analyzing traffic data for other TLDs • use for analyzing YXD traffic data • Potentially look at additional data points in the AVRO summary feed currently used by the Real-Time cluster (RTC) and soon to be used as a replacement for the existing Traffic Monitor feed (end Q2 next year) • Will also include traffic data from our Electra sites • And the missing 10% of NXD traffic data! 34
  • 35. Verisign Confidential and Proprietary Eureka! • Excerpt is from: Wired Magazine, “Accept Defeat: The Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09. • http://www.wired.com/2009/12/fail_accept_defeat/ 35
  • 36. Verisign Confidential and Proprietary Takeaways • Your Noise could be MY signal • Reimagine and Reuse & Find reasons to Keep more of your data • Find more Value & Throw more effectively • Don’t let the organization stand in the way 36
  • 37. © 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Editor's Notes

  1. Scott: You have heard the saying “One’s man’s junk is another man’s treasure”. Today, we are going to show you how “One engineer’s noise is another engineer’s signal”. You have heard of “Reduce, Reuse, Recycle”. For Keepers, or “Packrats” as some of the Thowers call us, its more like “Reduce, Reuse, Restore, Repurpose, Remake, Reinvent, Reimagine, Re-gift, Recycle”. I will Re-almost-anything, as long as I don’t need to just throw away something that might someday have some value.
  2. Scott: I am by nature a Keeper. I hate throwing anything out, if I think I can possibly find some value in it. Today’s presentation is about 3 different times when the “Keeper” was vindicated because value was found in data that was being thrown out.
  3. Scott reads: It all started with the sound of static. In May 1964, two astronomers at Bell Labs, Arno Penzias and Robert Wilson, were using a radio telescope in suburban New Jersey to search the far reaches of space. Their aim was to make a detailed survey of radiation in the Milky Way, which would allow them to map those vast tracts of the universe devoid of bright stars. This meant that Penzias and Wilson needed a receiver that was exquisitely sensitive, able to eavesdrop on all the emptiness. And so they had retrofitted an old radio telescope, installing amplifiers and a calibration system to make the signals coming from space just a little bit louder. But they made the scope too sensitive. Whenever Penzias and Wilson aimed their dish at the sky, they picked up a persistent background noise, a static that interfered with all of their observations. It was an incredibly annoying technical problem, like listening to a radio station that keeps cutting out. At first, they assumed the noise was man-made, an emanation from nearby New York City. But when they pointed their telescope straight at Manhattan, the static didn’t increase. Another possibility was that the sound was due to fallout from recent nuclear bomb tests in the upper atmosphere. But that didn’t make sense either, since the level of interference remained constant, even as the fallout dissipated. And then there were the pigeons: A pair of birds were roosting in the narrow part of the receiver, leaving a trail of what they later described as “white dielectric material.” The scientists evicted the pigeons and scrubbed away their mess, but the static remained, as loud as ever. For the next year, Penzias and Wilson tried to ignore the noise, concentrating on observations that didn’t require cosmic silence or perfect precision. They put aluminum tape over the metal joints, kept the receiver as clean as possible, and hoped that a shift in the weather might clear up the interference. They waited for the seasons to change, and then change again, but the noise always remained, making it impossible to find the faint radio echoes they were looking for. Their telescope was a failure.
  4. Paul Speaking SITTING IN A CROWDED THEATRE AT THE MUCH ANTICIPATED SUMMER BLOCKBUSTER AND A BABY IN THE NEXT ROW IS SCREAMING AND CRYING THAT YUCKY STUFF i SCOOP OUT OF MY CAT YODA’s LITTER BOX EVERY MORNING FOR THE PAST 18 YEARS YOUR WIFES FAVORITE CHINA THAT IS NOW IN PIECES ALL OVER THE KITCHEN FLOOR ALLTHOSE BANANA PEELS YOU’VE TOSSED OUT OVER THE YEARS THAT HORRIBLE SMELL THAT CAUSED YOU AND YOUR BROTHER TO COVER YOUR FACES THAT SUMMER WHEN THE FAMILY VISITED YELLOWSTONE NATIONAL PARK AND LET’S NOT FORGET THAT NEW 75’’ CURVED 4k ULTRAHIGH DEF TV WITH THE FOOTBALL SIZE HOLE IN THE MIDDLE OF THE SCREEN
  5. Scott Speaking As Engineers and Scientists, noise in our data is a huge problem. We want our data to show us a clear picture like the bottom right. If we can’t get that, we at least want something in the middle row. Too often, our data looks like the top row. We are squinting at it to try to make any sense out of what it is.
  6. Scott: At Verisign, we wholesale domain names and provide resolution for them. On the resolution side, counts of successful resolutions are the signal. That’s “YXD” traffic, or “Yes eXistant Domain”. We also get a lot of “junk” traffic for “Non eXistant Domains”, or NXDs. The Data Analyzer product is based on this first layer of junk. People are clicking on links, or typing names into browsers expecting that domains are going to exist. When they don’t, they get an error page in their browser, or their mail bounces, or they get some other form of error. If you are interested in buying domains to serve a few web ads to these people, these domains are gold. For Verisign, it is an opportunity to sell a domain that would otherwise remain unsold.
  7. Paul Speaking YOU TYPE IN A MISPELLED SITE NAME INTO YOUR LEAST FAVORITE BROWSER (YOU KNOW, THE ONE THAT DOESN’T RUN ON A MAC) AND YOU GET BACK THAT UNFRIENDLY MESSAGE “THIS WEBPAGE IS NOT AVAILABLE” WHAT REALLY HAPPENS BEHIND THE SCENES IS THAT A NAME SERVER COULN’T RESOLVE THE MISPELLED DOMAIN NAME AND INSTEAD OF RETURNING AN IP ADDRESS, A NON-EXISTENT-DOMAIN-NAME, OR NXD, RESPONSE IS RETURNED TO MOST OF US, NXD RESPONSES ARE JUST PLAIN “JUNK” BUT TO DATA ANALYZER, WE TEND TO SEE VERY MUCH MORE. WE ANALYZE THIS DATA TO IDENTIFY AVAILABLE DOMAINS WITH: EXISTING TRAFFIC REQUESTED DURING BUSINESS HOURS REQUESTED FROM SPECIFIC LOCATION FROM AROUND THE WORLD AND MANY OTHER DESIRABLE CHARACTERISTICS WE RATE AND SCORE THESE NXD’s FROM 1 TO 10 WITH HOPES OF GETTING CONVERSIONS DUE TO REGISTRATIONS
  8. Paul: HERE ARE SOME SAMPLE NXD’s WITH SIGNIFICANT EXSITING TRAFFIC SOME LOOK LIKE GARBAGE WHILE OTHERS LOOK LIKE YOU MAY WANT TO REGISTER. LIKE THE ONE THAN SPELLS MY YOUNGEST DAUGHTERS NAME
  9. PAUL
  10. PAUL ingested by a Data Architecture Group (DAG) process into the Verisign Compute Cluster (VSCC)
  11. PAUL Partial Index - 1 day of aggregated NXD data Complete index – 60 days of aggregated data from 60 Partial Indexes Query by GEO code, score, time of day, etc
  12. PAUL
  13. Scott: Data Analyzer is a fairly mature product. When it was first developed, there was a major problem with the data. The domain-investors (or “Domainers”) don’t actually care about NXD traffic. They want to know what domains they can register so that their ads are seen by the most people. They may also care about the ads being clicked on by real people. In the graph above, it turns out that many of the most frequent NXD domains are not being visited by people at all. There was something wrong here. Without removing the noise, DA customers would assume that they should buy the wrong domains. If DA made suggestions that consistently didn’t work out, people would give up on it, and wouldn’t buy as many of these domains. So, what was wrong? Botnets!
  14. Scott: Data Analyzer is a fairly mature product. When it was first developed, there was a major problem with the data. The domain-investors (or “Domainers”) don’t actually care about NXD traffic. They want to know what domains they can register so that their ads are seen by the most people. They may also care about the ads being clicked on by real people. In the graph above, it turns out that many of the most frequent NXD domains are not being visited by people at all. There was something wrong here. Without removing the noise, DA customers would assume that they should buy the wrong domains. If DA made suggestions that consistently didn’t work out, people would give up on it, and wouldn’t buy as many of these domains. So, what was wrong? Botnets!
  15. Paul: It turns out that many (but not all) of the most requested domains are popular only because vast networks of infected computers are checking for Command and Control instructions. These domain names often look like nonsense that a human would never type. The point is that by identifying the pattern of traffic, we were able to more effectively filter it out of the DA data.
  16. Paul Speaking AN ARMY OF INFECTED COMPUTERS THAT ACT LIKE “ZOMBIES” AND JUST SIT THERE, HIDDEN FROM THEIR OWNERS, WAITING FOR INSTRUCTIONS FROM A CENTERAL C&C SERVER THAT ISSUE COMMANDS FOR THESE “BOTS” TO WORK TOGETHER AND LAUNCH CYBERCRIMINAL ATTACKS DENIAL OF SERVICE SEND SPAM SPREAD VIRUSES AND OTHER SOPHISTICATE AND POPULAR CYBERCRIMES MANY OF THESE “BOTS” ARE INFECTED WITHOUT THEIR OWNERS EVER EVEN KNOWING
  17. Paul: BOTNETS EITHER GENERATE NON_EXISTENT DOMAIN NAMES BASED ON AN ALGORTHIM OR ELSE CYCLE THROUGH A LIST OF UNREADABLE DOMAIN NAMES WITH THE HOPE THAT AT LEAST ONE WILL GET REGISTERED AND CONNECT THESE BOTS TO A “BOT MASTER”” OR C&S SERVER TO NOTE: IF THESE DOMAINS ARE NEVER REGISTERED, THEN THESE BOTNETS WILL JUST REMAIN A BUNCH OF “ZOMBIES”
  18. Paul GETTING BACK TO THAT HUGE TRAFFIC SPIKE….. THESE ARE MOST LIKELY NOT REQUESTED FROM HUMANS THESE INSTEAD ARE CLASSIFIED BY THE BOTNET DETECTION SERVICE (BDS) AS “SUSPICIOS” AND CONSDIERED TO BE FROM BOTNETS
  19. PAUL
  20. Paul THE BOTNET DETECTION SERVICE, or BDS, IS ONE OF THE SERVICES OFFERED WITH THE DATA ANALYZER PRODUCT AND IS BASED ON REAL-PATENTED TECHNOLOGY BOTH INVENTED AND OWNED BY VERISIGN PATENT FILED IN 2011 AND GRANTED IN 2014 WILL THE INVENTORS PLEASE RAISE YOUR HANDS?
  21. Paul PREVENT PROMOTION OF THESE SUSPICIOS DOMAINS TO OUR CUSTOMERS CUSTOMER BENEFIT – NOT REGISTERING NXD’S THAT WON”T SEE HUMAN TRAFFIC SYSTEM BENEFIT – LESS OVERALL DOMAINS TO HAVE TO QUERY FROM
  22. Scott
  23. Scott:
  24. Scott Paul injects: I HAD A HALL WAY CONVERSATION WITH JIM GOULD ABOUT THE NEW STAR WARS MOVIE COMING OUT (WE ORIGINALLY WENT TO SEE THE MIDNIGHT SHOWING OF EPISODE1 SOME MANY YEARS AGO) AND I HAPPEN TO MENTION SOME COOL STUFF REGARDIJNG HOW WE IDENTIFY BOTNET DOMAINS AND MAYBE USING THEM TO IDENTIFY INFECTED NETWORKS. JIM SUGGESTED THAT I PRESENT THIS AT THE NEXT PESAB MEETING THIS LEAD TO ENGINEERING TO ENGINEERING DISCUSSIONS ABOUT THE USEFULNESS TO THE SECURITY SIDE OF THE BUSINESS
  25. PAUL CURRENTLY, THE SUSPICIOUS DOMAINS LIST IS BEING USED BY DATA ANALYZER AS A BLACKLIST TO PREVENT PROMOTION OF THESE TO OUR CUSTOMERS BY RESURSIVE DNS TO IGNORE RESOLUTION REQUESTS FOR THESE AND PREVENT POTOTENTIAL BOTNET TRANSMISSIONS HOW ELSE MIGHT WE USE THIS DATA?
  26. Scott
  27. Paul: BLOCK REGISTRATIONS IN CORE USE REGISTRATION ATTEMPTS TO IDENTIFY AND TRAP CRIMINAL (LIKE A HONEY POT) SUPPORT OTHER TLDs THAT WE HAVE TRAFFIC DATA FOR PROVIDE AS A SERVICE FOR OTHER REGISTRIES
  28. Paul IT COULD BE USEFUL TO PROVIDE WAYS TO IDENTIFY IMPORTANT INFORMATION ABOUT THE BOTNET REQUESTS A POTENTIAL UI SCREEN TO DEEP DIVE INTO THE DATA RELATED TO THE BOTNET DOMAINS TOTAL REQUESTING ASNS, MOST REQUESTING ASN’S, MOST REQUESTING COUNTRIES, REQUEST TIMELINE. TOTSL REQUESTS, TOTAL REQUESTING RECURSIVES SEARCH THROUGH THE DATA BY ASN, COUNTRY, IP ADDRESS, SUBNET… AND THEN DIVE DOWN FURTHER
  29. Paul LOOK AT SUBNETS WITH MANY REQUESTS, IDENTIFY THE CORRESPONDING ASN and COUTRY, TOTAL OVERALL REQUESTS AND TOTAL UNIQUE NAME SERVER REQUESTS
  30. Paul BDS LIMITS US TO THE IP OF THE REQUESTING RECURSIVE SERVERS BUT, WITH THE USE OF A RECURSIVE SERVER APPLIANCE THAT CAPTURES THE IPs OF THE ORIGINAL REQUESTS, WE CAN IDENTIFY TO BOTS THEMSELVES!!!!!!!!
  31. Paul: SO BDS GET US AS FAR AS THE REQUESTING RECURSIVES. A RECURSIVE SERVER APPLIANCE MAY HELP TO IDENITFY THE ACTUAL BOTS TO BE VERY EFFECTIVE, WE WOULD NEED TO IDENTIFY THE C&C SERVERS THEMSELVES SO THAT WE CAN CUT THE BOTS OFF FROM THEIR MASTER WE CAN DEFINITELY USE BDS ON YXD DATA IN ADDITION TO CHALLENGES DUE TO RESOLVER CACHING, THE C&C SERVERS OFTEN CHANGE THEIR IP ADDRESS TO AVOID DETECTION
  32. Paul: BLOCK DNS RESOLUTION OF THESE AT THE EDGE AND ELECTRA SITES SUSPEND REGISTRATION SO DOMAINS APPEAR OUT OF ZONE
  33. PAUL
  34. Scott reads: For the radio astronomers, the breakthrough was the result of a casual conversation with an outsider. Penzias had been referred by a colleague to Robert Dicke, a Princeton scientist whose training had been not in astrophysics but nuclear physics. He was best known for his work on radar systems during World War II. Dicke had since become interested in applying his radar technology to astronomy; he was especially drawn to a then-strange theory called the big bang, which postulated that the cosmos had started with a primordial explosion. Such a blast would have been so massive, Dicke argued, that it would have littered the entire universe with cosmic shrapnel, the radioactive residue of genesis. (This proposal was first made in 1948 by physicists George Gamow, Ralph Alpher, and Robert Herman, although it had been largely forgotten by the astronomical community.) The problem for Dicke was that he couldn’t find this residue using standard telescopes, so he was planning to build his own dish less than an hour’s drive south of the Bell Labs one. Then, in early 1965, Penzias picked up the phone and called Dicke. He wanted to know if the renowned radar and radio telescope expert could help explain the persistent noise bedeviling them. Perhaps he knew where it was coming from? Dicke’s reaction was instantaneous: “Boys, we’ve been scooped!” he said. Someone else had found what he’d been searching for: the radiation left over from the beginning of the universe. It had been an incredibly frustrating process for Penzias and Wilson. They’d been consumed by the technical problem and had spent way too much time cleaning up pigeon shit — but they had finally found an explanation for the static. Their failure was the answer to a different question. And all that frustration paid off: In 1978, they received the Nobel Prize for physics.
  35. Scott: If you have data, we have shown you the value of looking at your data, particularly at the “noise” in your data” in a new way. If you are a “Keeper” at heart, we have given you encouragement for how to reimagine and reuse some of your data. If you are more inclined to throw things out, maybe, just maybe, you will take another look at what data you are throwing away and find some additional value within it. At the very least, you now know that by identifying what your “noise” means, you can more effectively throw it away. Take Questions on this slide.