SlideShare a Scribd company logo
1 of 31
©2016 CyberSyndicates
FINDING
EVIL IN DNS
TRAFFIC
©2016 CyberSyndicates
WHO AM I?
Keelyn Roberts
BACKGROUND:
 (10 Years) CyberSecurity & IT Security
RECENT PROJECTS:
 Created Mercenary-Linux(Daniel West (PM))
 Created (MHF) MercenaryHuntFramework (Daniel West(PM))
How To Find Me:
 @real_slacker007
 Github.com/slacker007
 HuntTools.org
 CyberSyndicates.com
©2016 CyberSyndicates
AGENDA
Motivation
Brief DNS Overview
Types of Malware
Malware IOC’s
Detection Methods
Key Takeaways
Questions
©2016 CyberSyndicates
WHY DNS?
©2016 CyberSyndicates
OVERVIEW
User
Local Recursive Server
User browses to www.hunttools.org
Recursive server checks
its cache, then reaches
out to root servers and
provides the answer Root
.orgTLD Root
Authoritative
The authoritative server tells the recursive server
the IP address for www.hunttools.org
The .orgTLD root tells the recursive server to
ask the authoritative server for hunttools.org
Root server tells the recursive server to ask
the .orgTLD root
Info provided by “DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
DNS VULNERABILITIES
INFRASTRUCTURE PROTOCOL
Buffer Overflows
Race Conditions
Misconfigurations
Zone Transfers
Anycasting
Recursion
Caching
©2016 CyberSyndicates
INFRASTRUCTURE
OS (Windows, Unix, BSD, Linux)
 DNS Software ( Microsoft DNS, BIND)
oBuffer Overflows (CVE-2015-6125, CVE-2008-0122)
o Race Conditions (CVE-2015-8461)
o Misconfigured Permissions
 Other nested services (FTP, SMB/CIFS)
“DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
PROTOCOL
“DNS Security” 2016 Elsevier Inc.
DNS Cache Poisoning
Bolware
Dridex
DNS Spoofing
Win32.QHOST
(modern variants)
DNSChanger (old &
new)
Data Exfil Channel
DNS Beacons
C & C
DNSTrojan
DNS Beacons
Staging
DNS Beacons
DDoS Attacks
Low Orbit Ion Cannon
(LOIC)
VULNERABILITIES
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
Recursive Servers
 Delay Fast Packets (DFP)
o Bailiwick rule
o Birthday Paradox
o SPEED
o QUANTITY
o ANOMOLY
Local DNS Cache
 OS maintained local cache
 Web browser cache
o Boleware (Brazil 2015)
o Dridex (United Kingdom)
o DNS-Changer (US 2016)
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
00:22:50.599361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 317)
192.168.1.254.53 > 192.168.1.85 16020: [udp sum ok] 52318 q: A? csi.gstatic.com. 16/0/0
csi.gstatic.com. [3m26s] A 216.58.217.227, csi.gstatic.com. [3m26s] A 216.58.193.131,
csi.gstatic.com. [3m26s] A 216.58.212.227, csi.gstatic.com. [3m26s] A 216.58.218.3,
csi.gstatic.com. [3m26s] A 216.58.201.195, csi.gstatic.com. [3m26s] A 172.217.1.131,
csi.gstatic.com. [3m26s] A 216.58.209.99, csi.gstatic.com. [3m26s] A 216.58.212.131,
csi.gstatic.com. [3m26s] A 172.217.17.227, csi.gstatic.com. [3m26s] A 216.58.212.195,
csi.gstatic.com. [3m26s] A 172.217.18.131, csi.gstatic.com. [3m26s] A 216.58.212.163,
csi.gstatic.com. [3m26s] A 216.58.209.131, csi.gstatic.com. [3m26s] A 172.217.22.163 (289)
IP SRC PORT TRANS ID
TRACKING DNS COMMUNICATIONS
©2016 CyberSyndicates
DNS AMPLIFICATION
©2016 CyberSyndicates
DNS AMPLIFICATION
Spoofed Source address
Open DNS Servers
 TTL
ANY (*)
Quantity
o nodes
o volume of queries
o queries vs. responses
ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.hunttools.org; count=1 ; qtype=A ; ttl=234
ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.hunttools.org ; count=1 ; qtype=A ; ttl=247
INDICATORS
©2016 CyberSyndicates
DNS AMPLIFICATION
©2016 CyberSyndicates
DNS AMPLIFICATION
05:45:38.621599 IP (tos 0x0, ttl 64, id 56784, offset 0, flags [none], proto UDP (17), length 64)
10.0.49.16.45522 > 84.200.69.80.53: 27427+ [1au] ANY? ietf.org. ar: . OPT UDPsize=4096 (36)
0x0000: 0004 0001 0006 000c 2917 04df 300f 0800 ........)...0...
0x0010: 4500 0040 ddd0 0000 4011 51bd 0a00 3110 E..@....@.Q...1.
0x0020: 0808 0808 b1d2 0035 002c 4b5d 6b23 0120 .......5.,K]k#..
0x0030: 0001 0000 0000 0001 0369 7363 036f 7267 .........ietf.org
0x0040: 0000 ff00 0100 0029 1000 0000 0000 0000 .......)........
QUERY
©2016 CyberSyndicates
DNS AMPLIFICATION
global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER
SECTION: isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600 isc.org. 4084 IN A 149.20.64.42 isc.org. 4084 IN MX 10 mx.pao1.isc.org. isc.org. 4084 IN MX 10 mx.ams1.isc.org. isc.org. 4084 IN TXT
"v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $" isc.org. 4084 IN AAAA 2001:4f8:0:2::d isc.org. 4084 IN NAPTR
20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 4084 IN DNSKEY 256 3 5
BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+
u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL
KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 484 IN RRSIG NS 5
2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX
UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco= isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac
XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk= isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org.
VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw= isc.org. 484 IN
RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9
k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA= isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9
/rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4= isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org.
ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4= isc.org.
484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr
Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org.
i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A= isc.org.
484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH
qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N
ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA== isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org.
IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak= isc.org. 484 IN
RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1
hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E= isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;;
AUTHORITY SECTION: isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: mx.ams1.isc.org. 484 IN A
199.6.1.65 mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 484 IN A 149.20.64.53 mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b _sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org. ;; Query time: 176 msec ;;SERVER:
x.x.x.x#53(x.x.x.x) ;; WHEN: Tue Oct 30 01:14:32 2012 ;; MSG SIZE rcvd: 3223
RESPONSE
©2016 CyberSyndicates
DNS BEACONS
©2016 CyberSyndicates
DNS BEACONS
 DNS Beacon (Cobalt Strike)
 DNSTrojan
 RAT
 C2 || Exfil
 Staged vs. Inline
 Last Resort
 Stealthy
 Throttle / Jitter
 IOC’s
 Incremental Changes
Size of packet (udp vs. tcp)
 # of packets sent
 # of queries vs. responses
 sequentially numbered subdomains
 Key Info
©2016 CyberSyndicates
DNS BEACONS
KEY ATTRIBUTES
©2016 CyberSyndicates
DNS BEACONS
WHERE & WHY
©2016 CyberSyndicates
DNS BEACONS
cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com.
cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com.
Security Onion (IDS)
4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
McAfee (Global Threat Intelligence)
LEGITIMATE
©2016 CyberSyndicates
DNS BEACONS
8.8.8.8 TXT aaa.stage.4777649.dns.jeffjumpsinthelake.xyz
8.8.8.8 TXT aab.stage.4777649.dns.jeffjumpsinthelake.xyz
8.8.8.8 TXT aac.stage.4777649.dns.jeffjumpsinthelake.xyz
192.168.1.90 TXT 255 PPPPPPIJIFJEPNPPPPIJIFKIPNPPPPIJIFMMPNPPPPIJIFNAPNPPPPIJIFPAPNPPPPIJIFMIJAAAAIDINPAPJCEA
PNPPPPOJHEAJAAAAAPLOMCIDOICAHEEIIDOIADHEDECLMGHECEEIEIHEBEIDOIADAPIFFGAJAAAAA
JLFPAPNPPPPOJELAJAAAAIDINPAPNPPPPAEOJDPAJAAAAIDINPAPNPPPPABOJDDAJAAAAIBINPAPNPPP
PIAAAAAAAOJ
192.168.1.90 TXT 255 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPDOPPPPPPDPDEDFDGD
HDIDJDKDLDMDNPPPPPPPOPPPPPPAAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCB
DBEBFBGBHBIBJPPPPPPPPPPPPBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOC
PDADBDCDDPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Staging Via DNS TXT
MALICIOUS
©2016 CyberSyndicates
DNS BEACONS
12645.dns.jeffjumpsinthelake.xyz
12645.dns.jeffjumpsinthelake.xyz
12645.dns.jeffjumpsinthelake.xyz 0.0.0.0
12645.dns.jeffjumpsinthelake.xyz 139.59.10.212
C2 Via DNS TXT
MALICIOUS
©2016 CyberSyndicates
DNS BEACONS
MALICIOUS
C2 Via DNS A
©2016 CyberSyndicates
DNS BEACONS
DETECTING BEACONS USING DNSHUNTER
©2016 CyberSyndicates
DEMOS
©2016 CyberSyndicates
DNS A RECORDS WITH
DNSHUNTER
©2016 CyberSyndicates
VISUALIZING DNS
TRAFFIC WITH VDNS
©2016 CyberSyndicates
ANALYZING DNS RECORDS
WITH DNSHUNTER
©2016 CyberSyndicates
MAJOR TAKEAWAYS
Understand YOUR DNS traffic
Perform ACTIVE Monitoring of your DNS Traffic
Conduct Regular Penetration Testing!!!!!
©2016 CyberSyndicates
SOURCES
https://www.isc.org/community/rfcs/dns/ (list all RFC’s by Title)
“DNS Security”, (Allan Liska & Geoffrey Stowe)
http://secdev.org/projects/scapy/doc/usage/html (Scapy examples)
http://www.dcwg.org/ (DNS-Changer)
http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/ (DNS-Changer)
RFC 1034, 1035 (DNS)
RFC 3833(DNS Threat Analysis)
RFC 5358(prevent recursive NS in reflection attacks)
RFC 6672(name redirectors)

More Related Content

What's hot

Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexingYoshinori Matsunobu
 
micro-ROS: bringing ROS 2 to MCUs
micro-ROS: bringing ROS 2 to MCUsmicro-ROS: bringing ROS 2 to MCUs
micro-ROS: bringing ROS 2 to MCUseProsima
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewRajKumar Rampelli
 
Advanced format for hard disk drives
Advanced format for hard disk drivesAdvanced format for hard disk drives
Advanced format for hard disk drivesIDEMA_USA
 
Minio Cloud Storage
Minio Cloud StorageMinio Cloud Storage
Minio Cloud StorageMinio
 
Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
 
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptxJosé Lin
 
Floppy Disk Presentation
Floppy Disk PresentationFloppy Disk Presentation
Floppy Disk PresentationEbony Nelson
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerLinaro
 
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaAutovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaPostgreSQL-Consulting
 
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by  이근오)Innodb에서의 Purge 메커니즘 deep internal (by  이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)I Goo Lee.
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceBrendan Gregg
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 

What's hot (20)

Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
More mastering the art of indexing
More mastering the art of indexingMore mastering the art of indexing
More mastering the art of indexing
 
micro-ROS: bringing ROS 2 to MCUs
micro-ROS: bringing ROS 2 to MCUsmicro-ROS: bringing ROS 2 to MCUs
micro-ROS: bringing ROS 2 to MCUs
 
Linux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver OverviewLinux Kernel MMC Storage driver Overview
Linux Kernel MMC Storage driver Overview
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and bios
 
Linux dma engine
Linux dma engineLinux dma engine
Linux dma engine
 
Advanced format for hard disk drives
Advanced format for hard disk drivesAdvanced format for hard disk drives
Advanced format for hard disk drives
 
Minio Cloud Storage
Minio Cloud StorageMinio Cloud Storage
Minio Cloud Storage
 
Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)
 
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
 
Floppy Disk Presentation
Floppy Disk PresentationFloppy Disk Presentation
Floppy Disk Presentation
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-Vectorizer
 
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 ViennaAutovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
Autovacuum, explained for engineers, new improved version PGConf.eu 2015 Vienna
 
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by  이근오)Innodb에서의 Purge 메커니즘 deep internal (by  이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 

Similar to Finding Evil In DNS Traffic

Deploying DNSSEC at Scale
Deploying DNSSEC at ScaleDeploying DNSSEC at Scale
Deploying DNSSEC at ScaleCaitlin Magat
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêterNetSecure Day
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance FuckupsNETFest
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるJUNICHI YOSHISE
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Ontico
 
An implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreeAn implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreePierre Lindenbaum
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupBadoo Development
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepOliver Fischer
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficJosiah Ritchie
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 
Code4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch PortalCode4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch Portaleby
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
 
001 network toi_basics_v1
001 network toi_basics_v1001 network toi_basics_v1
001 network toi_basics_v1Hisao Tsujimura
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTier1 app
 

Similar to Finding Evil In DNS Traffic (20)

Deploying DNSSEC at Scale
Deploying DNSSEC at ScaleDeploying DNSSEC at Scale
Deploying DNSSEC at Scale
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter
 
Unix Monitoring Tools
Unix Monitoring ToolsUnix Monitoring Tools
Unix Monitoring Tools
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
 
An implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreeAn implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTree
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grep
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network Traffic
 
Restfs internals
Restfs internalsRestfs internals
Restfs internals
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
 
Code4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch PortalCode4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch Portal
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
001 network toi_basics_v1
001 network toi_basics_v1001 network toi_basics_v1
001 network toi_basics_v1
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Finding Evil In DNS Traffic

  • 2. ©2016 CyberSyndicates WHO AM I? Keelyn Roberts BACKGROUND:  (10 Years) CyberSecurity & IT Security RECENT PROJECTS:  Created Mercenary-Linux(Daniel West (PM))  Created (MHF) MercenaryHuntFramework (Daniel West(PM)) How To Find Me:  @real_slacker007  Github.com/slacker007  HuntTools.org  CyberSyndicates.com
  • 3. ©2016 CyberSyndicates AGENDA Motivation Brief DNS Overview Types of Malware Malware IOC’s Detection Methods Key Takeaways Questions
  • 5. ©2016 CyberSyndicates OVERVIEW User Local Recursive Server User browses to www.hunttools.org Recursive server checks its cache, then reaches out to root servers and provides the answer Root .orgTLD Root Authoritative The authoritative server tells the recursive server the IP address for www.hunttools.org The .orgTLD root tells the recursive server to ask the authoritative server for hunttools.org Root server tells the recursive server to ask the .orgTLD root Info provided by “DNS Security” 2016 Elsevier Inc.
  • 6. ©2016 CyberSyndicates DNS VULNERABILITIES INFRASTRUCTURE PROTOCOL Buffer Overflows Race Conditions Misconfigurations Zone Transfers Anycasting Recursion Caching
  • 7. ©2016 CyberSyndicates INFRASTRUCTURE OS (Windows, Unix, BSD, Linux)  DNS Software ( Microsoft DNS, BIND) oBuffer Overflows (CVE-2015-6125, CVE-2008-0122) o Race Conditions (CVE-2015-8461) o Misconfigured Permissions  Other nested services (FTP, SMB/CIFS) “DNS Security” 2016 Elsevier Inc.
  • 8. ©2016 CyberSyndicates PROTOCOL “DNS Security” 2016 Elsevier Inc. DNS Cache Poisoning Bolware Dridex DNS Spoofing Win32.QHOST (modern variants) DNSChanger (old & new) Data Exfil Channel DNS Beacons C & C DNSTrojan DNS Beacons Staging DNS Beacons DDoS Attacks Low Orbit Ion Cannon (LOIC) VULNERABILITIES
  • 9. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc.
  • 10. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. Recursive Servers  Delay Fast Packets (DFP) o Bailiwick rule o Birthday Paradox o SPEED o QUANTITY o ANOMOLY Local DNS Cache  OS maintained local cache  Web browser cache o Boleware (Brazil 2015) o Dridex (United Kingdom) o DNS-Changer (US 2016)
  • 11. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. 00:22:50.599361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 317) 192.168.1.254.53 > 192.168.1.85 16020: [udp sum ok] 52318 q: A? csi.gstatic.com. 16/0/0 csi.gstatic.com. [3m26s] A 216.58.217.227, csi.gstatic.com. [3m26s] A 216.58.193.131, csi.gstatic.com. [3m26s] A 216.58.212.227, csi.gstatic.com. [3m26s] A 216.58.218.3, csi.gstatic.com. [3m26s] A 216.58.201.195, csi.gstatic.com. [3m26s] A 172.217.1.131, csi.gstatic.com. [3m26s] A 216.58.209.99, csi.gstatic.com. [3m26s] A 216.58.212.131, csi.gstatic.com. [3m26s] A 172.217.17.227, csi.gstatic.com. [3m26s] A 216.58.212.195, csi.gstatic.com. [3m26s] A 172.217.18.131, csi.gstatic.com. [3m26s] A 216.58.212.163, csi.gstatic.com. [3m26s] A 216.58.209.131, csi.gstatic.com. [3m26s] A 172.217.22.163 (289) IP SRC PORT TRANS ID TRACKING DNS COMMUNICATIONS
  • 13. ©2016 CyberSyndicates DNS AMPLIFICATION Spoofed Source address Open DNS Servers  TTL ANY (*) Quantity o nodes o volume of queries o queries vs. responses ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.hunttools.org; count=1 ; qtype=A ; ttl=234 ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.hunttools.org ; count=1 ; qtype=A ; ttl=247 INDICATORS
  • 15. ©2016 CyberSyndicates DNS AMPLIFICATION 05:45:38.621599 IP (tos 0x0, ttl 64, id 56784, offset 0, flags [none], proto UDP (17), length 64) 10.0.49.16.45522 > 84.200.69.80.53: 27427+ [1au] ANY? ietf.org. ar: . OPT UDPsize=4096 (36) 0x0000: 0004 0001 0006 000c 2917 04df 300f 0800 ........)...0... 0x0010: 4500 0040 ddd0 0000 4011 51bd 0a00 3110 E..@....@.Q...1. 0x0020: 0808 0808 b1d2 0035 002c 4b5d 6b23 0120 .......5.,K]k#.. 0x0030: 0001 0000 0000 0001 0369 7363 036f 7267 .........ietf.org 0x0040: 0000 ff00 0100 0029 1000 0000 0000 0000 .......)........ QUERY
  • 16. ©2016 CyberSyndicates DNS AMPLIFICATION global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600 isc.org. 4084 IN A 149.20.64.42 isc.org. 4084 IN MX 10 mx.pao1.isc.org. isc.org. 4084 IN MX 10 mx.ams1.isc.org. isc.org. 4084 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $" isc.org. 4084 IN AAAA 2001:4f8:0:2::d isc.org. 4084 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 4084 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 484 IN RRSIG NS 5 2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco= isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk= isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org. VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw= isc.org. 484 IN RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9 k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA= isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9 /rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4= isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org. ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4= isc.org. 484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org. i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA== isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org. IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak= isc.org. 484 IN RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1 hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E= isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; AUTHORITY SECTION: isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: mx.ams1.isc.org. 484 IN A 199.6.1.65 mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 484 IN A 149.20.64.53 mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b _sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org. ;; Query time: 176 msec ;;SERVER: x.x.x.x#53(x.x.x.x) ;; WHEN: Tue Oct 30 01:14:32 2012 ;; MSG SIZE rcvd: 3223 RESPONSE
  • 18. ©2016 CyberSyndicates DNS BEACONS  DNS Beacon (Cobalt Strike)  DNSTrojan  RAT  C2 || Exfil  Staged vs. Inline  Last Resort  Stealthy  Throttle / Jitter  IOC’s  Incremental Changes Size of packet (udp vs. tcp)  # of packets sent  # of queries vs. responses  sequentially numbered subdomains  Key Info
  • 21. ©2016 CyberSyndicates DNS BEACONS cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. Security Onion (IDS) 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com McAfee (Global Threat Intelligence) LEGITIMATE
  • 22. ©2016 CyberSyndicates DNS BEACONS 8.8.8.8 TXT aaa.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aab.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aac.stage.4777649.dns.jeffjumpsinthelake.xyz 192.168.1.90 TXT 255 PPPPPPIJIFJEPNPPPPIJIFKIPNPPPPIJIFMMPNPPPPIJIFNAPNPPPPIJIFPAPNPPPPIJIFMIJAAAAIDINPAPJCEA PNPPPPOJHEAJAAAAAPLOMCIDOICAHEEIIDOIADHEDECLMGHECEEIEIHEBEIDOIADAPIFFGAJAAAAA JLFPAPNPPPPOJELAJAAAAIDINPAPNPPPPAEOJDPAJAAAAIDINPAPNPPPPABOJDDAJAAAAIBINPAPNPPP PIAAAAAAAOJ 192.168.1.90 TXT 255 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPDOPPPPPPDPDEDFDGD HDIDJDKDLDMDNPPPPPPPOPPPPPPAAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCB DBEBFBGBHBIBJPPPPPPPPPPPPBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOC PDADBDCDDPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Staging Via DNS TXT MALICIOUS
  • 27. ©2016 CyberSyndicates DNS A RECORDS WITH DNSHUNTER
  • 29. ©2016 CyberSyndicates ANALYZING DNS RECORDS WITH DNSHUNTER
  • 30. ©2016 CyberSyndicates MAJOR TAKEAWAYS Understand YOUR DNS traffic Perform ACTIVE Monitoring of your DNS Traffic Conduct Regular Penetration Testing!!!!!
  • 31. ©2016 CyberSyndicates SOURCES https://www.isc.org/community/rfcs/dns/ (list all RFC’s by Title) “DNS Security”, (Allan Liska & Geoffrey Stowe) http://secdev.org/projects/scapy/doc/usage/html (Scapy examples) http://www.dcwg.org/ (DNS-Changer) http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/ (DNS-Changer) RFC 1034, 1035 (DNS) RFC 3833(DNS Threat Analysis) RFC 5358(prevent recursive NS in reflection attacks) RFC 6672(name redirectors)

Editor's Notes

  1. ljsddfljsljdfljslkdjfsdlaf