Submit Search
Upload
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
•
4 likes
•
3,133 views
OpenDNS
Follow
OpenDNS Senior Security Researcher Dhia Mahjoub's presentation from SOURCE Boston 2014.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 68
Download now
Download to read offline
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
More Related Content
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
(14)
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Just the basics_strata_2013
Just the basics_strata_2013
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
More from OpenDNS
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Docker at OpenDNS
Docker at OpenDNS
OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
OpenDNS
Defcon
Defcon
OpenDNS
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
OpenDNS
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
OpenDNS
Cryptolocker Webcast
Cryptolocker Webcast
OpenDNS
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
More from OpenDNS
(20)
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
What Happens Before the Kill Chain
What Happens Before the Kill Chain
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
Docker at OpenDNS
Docker at OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
Defcon
Defcon
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
Cryptolocker Webcast
Cryptolocker Webcast
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
Recently uploaded
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Recently uploaded
(20)
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
1.
! Marauder or Scanning
your DNSDB for Fun and Profit Dhia!Mahjoub! OpenDNS! April!10th,!2014! Boston!
2.
Short!Bio! • Senior!Security!Researcher!at!OpenDNS! • PredicAve!threat!detecAon!based!on!DNS!traffic!and! hosAng!infrastructure!analysis! •
CS!PhD!graduate!from!Southern!Methodist!University! !!!!IIIIIII>!Go!Mustangs!! ! • Graph!Theory!applied!on!Wireless!Sensor!Networks! problems!(network!lifeAme,!rouAng)! • Enjoyed!wriAng!sniffers,!port!scanners!in!C…!
3.
Outline! • DNSDB! • Marauder! •
ImplementaAon! • ASN!graph! • Use$case$1:$Suspicious!Sibling!Leaf!ASNs!! • Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth! • Use$Case$3:!ASN(s)!abused!or!lax!about!content! • Marauder:!PlaZorm,!tools,!libraries!used! • Marauder!in!acAon! • Use$case$4:!Malicious!subIallocated!ranges! • Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure! • Conclusion!
4.
querylogs! authlogs! DNS$data$
5.
OpenDNS’!Network!Map!
6.
$ DNSDB$ $
7.
Passive!DNS! • Introduced!by!Florian!Weimar!in!2004! • Passive!DNS!builds!zone!replicas!without! cooperaAon!from!zone!administrators! •
Captures!messages!between!DNS!servers! • Messages!are!processed,!deIduplicated,!and!DNS! records!are!consolidated!in!an!indexed!database! !I>!Historical!DNS!database!(DNSDB)!
8.
Passive!DNS!(cont’d)! !Various!Services! 1. hbp://www.bd.de/bd_dnslogger_en.html! 2. DNSDB!(Farsight!Security)! hbps://www.dnsdb.info/! 3.
Umbrella!SGraph!(reIdubbed!InvesAgate)! hbps://sgraph.opendns.com/main! 4. VirusTotal!DNSDB! • hbps://github.com/gamelinux/passivedns! • hbps://github.com/chrislee35/passivednsIclient!
9.
Why!is!DNSDB!useful?! D! D! D! D! IP! IP! NS! IP! NS! +$TIME$ Domain! IP!address! Name!server!
10.
Streaming!AuthoritaAve!DNS! • Tap!into!processed!authoritaAve!DNS!stream!before! it’s!consolidated!into!a!persistent!DB! • asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type! •
Faster! • 100s!–!1000s!entries/sec!(from!subset!of!resolvers)! • Need!to!implement!your!own!filters,!detecAon! heurisAcs!
11.
$ Marauder$ $
12.
Marauder! • Maraud!(def):!To!rove!and!raid!in!search!for!plunder! • MarAn!BI26!Marauder! •
WW2!mediumIrange!bomber! • Pacific,!Mediterranean,!Western!Europe!theaters!
13.
Marauder! • Cruise!the!IP,!DNS!space!in!search!for!new!aback! domains,!IP!infrastructures!!
14.
ImplementaAon! 1. IP!watchlist!+!domain!filter(s)!+!more!post!detecAon! filter(s)! • IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to! build!malicious/suspicious!IP!lists! 2.
Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,! age,!traffic!volume!
15.
Building!the!IP!watchlist!! Mo<va<on! • Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs! from!a!new!perspecAve! • Look!beyond!the!simple!counAng!of!number!of!bad! domains,!bad!IPs!hosted!on!prefixes!of!an!ASN! How$?$ •
Look!at!topology!of!AS$graph$ • Look!at!smaller!granularity!than!BGP!prefix:!! !subGallocated$ranges$within!BGP!prefixes!
16.
AS!graph! • BGP!rouAng!tables! • Valuable!data!sources! •
Routeviews!hbp://archive.routeviews.org/bgpdata/! • CidrIreport!hbp://www.cidrIreport.org/as2.0/! • Hurricane!Electric!database!hbp://bgp.he.net/! • Your!own!rouAng!tables!if!you!operate!your!own! worldwide!BGP!routers! • 500,000+$BGP$prefixes$ • 46,000+$ASNs$
17.
AS!graph! • Route!Views!hbp://archive.routeviews.org/bgpdata/!
18.
AS!graph! • Cidr!Report!hbp://www.cidrIreport.org/as2.0/!
19.
AS!graph! • Hurricane!Electric!database!hbp://bgp.he.net/!
20.
AS!graph! • Show!one!line!of!the!BGP!rouAng!table! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! •
The!AS!graph!changes!constantly:! • New!prefixes!(with!their!routes)!are!announced! • Old!prefixes!are!dropped! • IntenAonal,!human!error,!hardware!faults,!or!malicious!
21.
AS!graph!
22.
AS!graph! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! • We!can!extract!two!types!of!useful!data:! !1.!Upstream!and!downstream!ASNs!of!every!ASN! !2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)! •
pyasn,!Python!IP!to!ASN!lookup!module!! !hbps://code.google.com/p/pyasn/! • Team!Cymru!IP!to!ASN!mapping! • GeoIPASNum.dat!from!maxmind! • curl!ipinfo.io/8.8.8.8/org!
23.
AS!graph! • Build!AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! •
TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24| 11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
24.
AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! Interes<ng$cases:$ • Leaf!ASNs!that!are!siblings,!i.e.!they!have!common! parents!in!the!AS!graph!(share!same!upstream!AS)! •
Cluster!the!leaves!by!country! • Find!interesAng!paberns:!certain!siblings!in!certain! countries!are!delivering!similar!suspicious!campaigns!
25.
$ Use$Case$1:$ Suspicious$Sibling$leaf$ASNs$ $
26.
Leaf!ASNs!and!their!upstreams! • January!8th!topology!snapshot,!Ukraine,!Russia! • 10!sibling!leaf!ASNs!with!2!upstream!ASNs! •
/23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX! • !TrojanIDownloader.Win32.Ldmon.A! • hbp://telussecuritylabs.com/threats/show/TSL20130715I08!
27.
Leaf!ASNs!and!their!upstreams!
28.
Leaf!ASNs!and!their!upstreams! • February!21st!topology!snapshot,!Ukraine,!Russia! ! • AS31500!detached!itself!from!the!leaves!(stopped! announcing!their!prefixes)! •
More!leaves!started!hosAng!suspicious!payload!domains! • 3100+!malware!domains!on!1020+!IPs!hosAng!malware!
29.
Leaf!ASNs!and!their!upstreams! • Taking!a!sample!of!160!live!IPs! • Server!setup!is!similar:! 50!IPs!with:! 22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$ protocol$2.0)$ 8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$ Service$Info:$OS:$FreeBSD$ ! 108!IPs!with:$ 22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$ 80/tcp$open$$h[p?$
30.
Leaf!ASNs!and!their!upstreams! • The!payload!url!were!live!on!the!enAre!range!of!IPs! before!any!domains!were!hosted!on!them! • So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance! •
hbp://pastebin.com/X83gkPY4! $
31.
$ Use$Case$2:$ ASN$abused$or$lax$about$shady$ content$ $
32.
33.
Example!ASNs!abused!or!lax! • Wordstream!hosAng!fake!merchandise,!Exploit!kit! domains,!XXX!themed!sites,!etc! • Resellers!using!IP!space!of!larger!providers! •
e.g.!IxamIhosAng!uses!Voxility! • Other!abused!ASNs!like!OVH,!LeaseWeb,!etc! • Ranking!of!ASNs:!sitevet.com! $
34.
$ Use$Case$3:$ Rogue$ASN$deGpeered$or$gone$ stealth$$ $
35.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy! Sergeevich!86400! • Serving!browlock,!porn,!radical!forums,!spam,!etc! •
“PE!Ivanov!Vitaliy!Sergeevich!malware”!
36.
Rogue!ASN!deIpeered!or!gone!stealth! Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!
37.
Rogue!ASN!deIpeered!or!gone!stealth!
38.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400! • 176.103.48.0/20!48031! •
193.169.86.0/23!48031! • 193.203.48.0/22!48031! • 193.30.244.0/22!48031! • 194.15.112.0/22!48031! • 196.47.100.0/24!48031! • 91.207.60.0/23!48031! • 91.213.8.0/24!48031! • 91.217.90.0/23!48031! • 91.226.212.0/23!48031! • 91.228.68.0/22!48031! • 93.170.48.0/22!48031! • 94.154.112.0/20!48031!
39.
Rogue!ASN!deIpeered!or!stealth!
40.
Rogue!ASN!deIpeered!or!stealth!
41.
$ Marauder:$Pla_orm,$tools,$ libraries$used$ $
42.
PlaZorm!and!tools!used! IHadoop!cluster! ! IRaw!logs!on!HDFS! ! IIndexed!DNSDB!in!HBase! ! IPython,!shell,!Gnu!Parallel! ! IStreaming,!zmq! !
43.
Python!libraries! • Happybase:!developerIfriendly!Python!library!to! interact!with!Apache!HBase! !hbp://happybase.readthedocs.org/en/latest/! !Column!I>!value! !Single!row:!domain,$<me,$type,$IP$G>$TTL$ • Search!DNSDB!by!IP,!name! •
Forward!lookup!for!domain!to!get!history!of!IPs,!TTL! • Inverse!lookup!for!IP!to!get!mapping!domain(s)!over! Ame!
44.
Python!libraries! • Happybase:!! import$happybase$ #protect$in$a$try$catch$ connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$ table$=$connec<on.table('authlogs')$ _domain$=$“google.com”$ for$key,$data$in$table.scan(row_prefix=_domain):$ $domain,<me,type,$ip$=$key.split(":")$ $ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$
45.
Python!libraries! • IPy:!Python!class!and!tools!for!handling!of!IPv4!and! IPv6!addresses!and!networks! !hbps://github.com/haypo/pythonIipy/wiki! !Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$ !from$IPy$import$IP$ $cidr$=$IP('127.0.0.0/30')$ $for$ip$in$cidr:$ $ $print$ip$
46.
Python!libraries! • PySubnetTree:!Python!data!structure!SubnetTree! which!maps!subnets!given!in!CIDR!notaAon!to! Python!objects.!! • Lookups!are!performed!by!longestIprefix!matching.! !hbp://www.bro.org/download/README.pysubnebree.html! !Use!it!to!map!IP!to!BGP!prefix!and/or!ASN! !! •
A!row!in!the!prefix!to!ASN!database!(file):! $1.22.232.0/24$45528$
47.
Python!libraries! • PySubnetTree:!! Load!pref_asn!db!then!do!lookups!on!IPs! import$SubnetTree$ pref_asn_db$=$SubnetTree.SubnetTree()$ f_pref_asn$=$open(“prefGasn",$'r')$ ….$ pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$ ip$=$“1.22.232.7”$ cidr$=$pref_asn_db[ip].split()[0]$
48.
Python!libraries! • PyASN:!Python!extension!module!(wriben!in!C)!that! allows!to!perform!very!fast!IP!to!ASN!lookups! !hbps://code.google.com/p/pyasn/! • pygeoip:$Map!IP!to!country!code! hbps://pypi.python.org/pypi/pygeoip! •
networkx:!Python!package!to!manipulate!graphs! !hbp://networkx.github.io/! !
49.
$ Marauder$in$ac<on$ $
50.
Marauder!in!acAon! • Input:!IP,!BGP!prefix,!or!ASN! • Use!DNSDB!(HBase)! •
Use!auth!DNS!stream! HBase:$ 1) !IP:!direct!lookup! 2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU! parallel!processes!or!threads)!to!query!HBase!for!every!IP! 3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>! process!every!prefix!like!in!2)!
51.
$ Use$Case$4:$ Malicious$subGallocated$ranges$ $
52.
Malicious!subIallocated!ranges! • Case!of!OVH! • SubIallocated!ranges!reserved!by!same!suspicious! customers,!serving!Nuclear!Exploit!kit!domains! •
Users!are!lead!to!the!Exploit!landing!sites!through! malverAsing!campaigns,!then!malware!is!dropped!on! vicAms’!machines!(e.g.!zbot)! • Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$
53.
Malicious!subIallocated!ranges! • For!several!months,!OVH!ranges!were!abused! • Notable!fact:!IPs!were!exclusively!used!for!hosAng! Nuclear!Exploit!subdomains,!no!other!sites!hosted! ! ! !
54.
Malicious!subIallocated!ranges!
55.
Malicious!subIallocated!ranges! • Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014! 192.95.50.208!I!192.95.50.215! 198.50.183.68!I!198.50.183.71! 192.95.42.112!I!192.95.42.127! 192.95.6.112!I!192.95.6.127! 192.95.10.208!I!192.95.10.223! 192.95.7.224!I!192.95.7.239! 192.95.43.160!I!192.95.43.175! 192.95.43.176!I!192.95.43.191! 198.50.131.0!I!198.50.131.15!
56.
Malicious!subIallocated!ranges! • Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng! provider!hbp://www.besthosAng.ua/! • 31.41.221.143!2014I02I14!2014I02I14!0! •
31.41.221.142!2014I02I12!2014I02I14!2! • 31.41.221.130!2014I02I12!2014I02I14!2! • 31.41.221.140!2014I02I12!2014I02I12!0! • 31.41.221.139!2014I02I12!2014I02I12!0! • 31.41.221.138!2014I02I11!2014I02I12!1! • 31.41.221.137!2014I02I10!2014I02I11!1! • 31.41.221.136!2014I02I10!2014I02I11!1! • 31.41.221.135!2014I02I10!2014I02I10!0! • 31.41.221.134!2014I02I09!2014I02I19!10! • 31.41.221.132!2014I02I08!2014I02I09!1! • 31.41.221.131!2014I02I07!2014I02I08!1!
57.
Malicious!subIallocated!ranges! • Feb!14th,!bad!actors!moved!to!a!Russian!hosAng! provider!hbp://pinspb.ru/! • 5.101.173.10!2014I02I21!2014I02I22!1! •
5.101.173.9!2014I02I19!2014I02I21!2! • 5.101.173.8!2014I02I19!2014I02I19!0! • 5.101.173.7!2014I02I18!2014I02I19!1! • 5.101.173.6!2014I02I18!2014I02I18!0! • 5.101.173.5!2014I02I17!2014I02I18!1! • 5.101.173.4!2014I02I17!2014I02I17!0! • 5.101.173.3!2014I02I16!2014I02I17!1! • 5.101.173.2!2014I02I15!2014I02I16!1! • 5.101.173.1!2014I02I14!2014I02I15!1!
58.
Malicious!subIallocated!ranges! • Feb!22nd,!bad!actors!moved!back!to!OVH! ! ! • Notable!fact:!They!change!MO,!IPs!have!been! allocated!and!used!in!the!past!for!other!content!I>! evasion!technique!or!resource!recycling! •
But!during!all!this!Ame,!bad!actors!sAll!kept!the! name!server!infrastructure!on!OVH!on!ranges! reserved!by!same!customers!
59.
Malicious!subIallocated!ranges! • 198.50.143.73$2013G11G25$2014G02G24$91$ • 198.50.143.69$2013G11G25$2014G02G24$91$ •
198.50.143.68$2013G11G25$2014G02G24$91$ • 198.50.143.67$2013G11G26$2014G02G24$90$ • 198.50.143.65$2013G11G24$2014G02G23$91$ • 198.50.143.66$2013G11G25$2014G02G23$90$ • 198.50.143.64!2013I11I24!2014I01I25!62! • 198.50.143.75!2013I12I03!2013I12I10!7! • 198.50.143.79!2013I11I25!2013I12I10!15! • 198.50.143.78!2013I11I25!2013I12I10!15! • 198.50.143.74!2013I11I25!2013I12I10!15! • 198.50.143.72!2013I11I25!2013I12I10!15! • 198.50.143.71!2013I11I25!2013I12I10!15! • 198.50.143.76!2013I11I25!2013I12I09!14! • 198.50.143.70!2013I11I26!2013I12I09!13! • 198.50.143.77!2013I11I26!2013I12I05!9!
60.
Malicious!subIallocated!ranges! • hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/! • hbp://pastebin.com/SX5R69vY! •
hbp://pastebin.com/KuxpNJwV!
61.
Abused!TLDs! • Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)! • .pw!for!a!while! •
Take!down!campaign!with!MalwareMustDie! • Moved!to!.ru!and!.in.net! • Then!back!to!.pw!
62.
$ Use$Case$5:$ Predic<ng$malicious$domains$IP$ infrastructure$ $
63.
Malicious!subIallocated!ranges!(Feb!2014)! • For!Nuclear,!In!addiAon!to!subIallocated!ranges! reserved!by!same!actors!(for!OVH!case)! • The!live!IPs!all!have!same!server!setup!(fingerprint):! •
31.41.221.131!to!31.41.221.143! 22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$ 111/tcp$open$$rpcbind$ • 5.101.173.1!to!5.101.173.10! 22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$ 111/tcp$open$$rpcbind$
64.
Malicious!subIallocated!ranges!(Feb!2014)! • 198.50.143.64!to!198.50.143.79! 22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$ 445/tcp$filtered$microsoqGds! • In!some!cases,!IPs!are!brought!online!in!small!chunks! •
The!name!server!IPs!also!have!the!same!fingerprint! • CombinaAon!of!these!different!indicators!has!made! predicAons!100%!accurate!for!the!past!months.!Bad!actors! change!their!MO,!but!this!approach!works!on!other!abacks! • I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!
65.
Conclusion! • PredicAve!threat!detecAon!based!on:! • Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)! !and!! •
hosAng!infrastructure! • Shut!down!the!bad!actors!infrastructure!at!the!hosAng! provider;!reseller!level!or!lowest!common!upstream! ancestor!(with!bad!reputaAon!and!repeated!offenses)!
66.
References! • Discovering!Fast!Flux!domains!using!Machine!Learning! !Presented!at!BSides$New$Orleans$2013$ • Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet! !Presented!at!APWG$eCrime$2013$ •
Fast!detecAon!of!malicious!domains!using!DNS! !Presented!at!BSides$Raleigh$2013$ • The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast! Flux!Botnet!“Unleashed”!! !Presented!at!BotConf$2013$ !
67.
Contact!Info! • Contact!me!at!dhia@opendns.com!if!you!are! interested!in:! • Asking!quesAons! •
CollaboraAng! • Twiber!@DhiaLite! • Blogs!hbp://labs.umbrella.com/author/dhia/!
68.
Thank!you! ! (Q!&!A)!
Download now