The document discusses how cybercriminals increasingly rely on DNS for botnet command and control, as DNS traffic can be used to covertly tunnel botnet communications and evade detection. It notes that botnets use techniques like dynamic DNS services and fluxing domain names to make their command and control architectures more robust and difficult to take down. The whitepaper argues that organizations must monitor and analyze DNS logs to detect if infected devices on their network are participating in botnet command and control activities over DNS.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
A Havoc Proof for Secure and Robust Audio WatermarkingCSCJournals
The audio watermarking involves the concealment of data within a discrete audio file. Audio watermarking technology affords an opportunity to generate copies of a recording which are perceived by listeners as identical to the original but which may differ from one another on the basis of the embedded information. A highly confidential audio watermarking scheme using multiple scrambling is presented Superior to other audio watermarking techniques, the proposed scheme is self-secured by integrating multiple scrambling operations into the embedding stage. To ensure that unauthorized detection without correct secret keys is nearly impossible, the watermark is encrypted by a coded-image; certain frames are randomly selected from the total frames of the audio signal for embedding and their order of coding is further randomized. Adaptive synchronization is improves the robustness against hazardous synchronization attacks, such as random samples cropping/inserting and pitch-invariant time stretching. The efficient watermarking schemes make it impossible to be detected and robust even though the watermarking algorithm is open to the public.
Most any library can be a target, so join Blake Carver, the Owner of LISHost.org, and get some ideas on how to make your library and your home more secure. Carver covers privacy, as it is closely related to security, and should be taken seriously. He shares many ways to stay safe online, how to secure your browser, PC, and other devices you and your patrons use every day. He also tackles some common security myths, talks about secure passwords and network security, as well as hardware and PC security. Carver discusses security issues that you’ll find in your library as well as tricks sysadmins can do with servers to make things safer for you, and that you’ll never see as an end user.
NCompass Live - June 6, 2012.
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
MANET (Wireless Mobile Ad-hoc Network) is a technology which are used in society in daily life an
activities such as in traffic surveillance, in building construction or it’s application is used in battlefield also. In
MANET there is no control of any node here is no centralized controller that’s why each node has its own
routing capability. And each node act as device and its change its connection to other devices.
The main problem of today’s MANET is a security, because there is no any centralized controller. Our main aim
is that we protect them from DDOS attack in terms of flooding through messages, packet drop, end to end delay
and energy dropping etc. For that we are applying many techniques for saving energy of nodes and identifying
malicious node and types of DDOS attack and in this paper we are discussing this technique.
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
JAVA
.NET
EMBEDDED SYSTEMS
ROBOTICS
MECHANICAL
MATLAB etc
For further details contact us:
enquiry@ingenioustech.in
044-42046028 or 8428302179.
Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)
http://www.ingenioustech.in/
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
A Havoc Proof for Secure and Robust Audio WatermarkingCSCJournals
The audio watermarking involves the concealment of data within a discrete audio file. Audio watermarking technology affords an opportunity to generate copies of a recording which are perceived by listeners as identical to the original but which may differ from one another on the basis of the embedded information. A highly confidential audio watermarking scheme using multiple scrambling is presented Superior to other audio watermarking techniques, the proposed scheme is self-secured by integrating multiple scrambling operations into the embedding stage. To ensure that unauthorized detection without correct secret keys is nearly impossible, the watermark is encrypted by a coded-image; certain frames are randomly selected from the total frames of the audio signal for embedding and their order of coding is further randomized. Adaptive synchronization is improves the robustness against hazardous synchronization attacks, such as random samples cropping/inserting and pitch-invariant time stretching. The efficient watermarking schemes make it impossible to be detected and robust even though the watermarking algorithm is open to the public.
Most any library can be a target, so join Blake Carver, the Owner of LISHost.org, and get some ideas on how to make your library and your home more secure. Carver covers privacy, as it is closely related to security, and should be taken seriously. He shares many ways to stay safe online, how to secure your browser, PC, and other devices you and your patrons use every day. He also tackles some common security myths, talks about secure passwords and network security, as well as hardware and PC security. Carver discusses security issues that you’ll find in your library as well as tricks sysadmins can do with servers to make things safer for you, and that you’ll never see as an end user.
NCompass Live - June 6, 2012.
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
MANET (Wireless Mobile Ad-hoc Network) is a technology which are used in society in daily life an
activities such as in traffic surveillance, in building construction or it’s application is used in battlefield also. In
MANET there is no control of any node here is no centralized controller that’s why each node has its own
routing capability. And each node act as device and its change its connection to other devices.
The main problem of today’s MANET is a security, because there is no any centralized controller. Our main aim
is that we protect them from DDOS attack in terms of flooding through messages, packet drop, end to end delay
and energy dropping etc. For that we are applying many techniques for saving energy of nodes and identifying
malicious node and types of DDOS attack and in this paper we are discussing this technique.
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
JAVA
.NET
EMBEDDED SYSTEMS
ROBOTICS
MECHANICAL
MATLAB etc
For further details contact us:
enquiry@ingenioustech.in
044-42046028 or 8428302179.
Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)
http://www.ingenioustech.in/
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
Join this in-depth look and detailed demonstration of the OpenDNS Umbrella integration with AnyConnect and how it really can stop most threats before they become serious problems, protecting users anywhere they go, even when the VPN is off.
Watch the workshop replay: http://bit.ly/2bPT1ax
Watch the Video: http://bit.ly/2c60obv
We browse the Internet. We host our applications on a server or a cloud that is hooked up with a nice domain name. That’s all there is to know about DNS, right? This talk is a refresher about how DNS works. How we can use it and how it can affect availability of our applications. How we can use it as a means of configuring our application components. How this old geezer protocol is a resilient, distributed system that is used by every Internet user in the world. How we can use it for things that it wasn’t built for. Come join me on this journey through the innards of the web!
Primer on DNS tunneling used as a vector for data theft via malware and insider threats with mitigation techniques and pointers on improving outbound DNS security architecture.
BSidesLondon 20Th April 2011 - Arron "finux" Finnon
---------------------------------------------------------------------
The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
----- for more about @F1nux go to www.finux.co.uk
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
Leveraging DNS data to detect new Internet threats has been gaining in popularity in the past few years. However, most industry and academic work examines DNS solely from the authoritative layer through the use of passive DNS. This presentation covers three novel methods that can be used to detect network threats at an Internet scale by analyzing DNS traffic below and above the recursive layer, monitoring malware hosting IP infrastructures, and applying graph analytics on DNS lookup patterns.
2016年 6月 23日 TokyoJS Revival
Source code sample which is I used on presentation is here https://gist.github.com/hachibeeDI/b765a9e99c0450a9d0900928aed3087b
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.
Solving the Visibility Gap for Effective SecurityLancope, Inc.
Network visibility is a vital component of an effective security strategy, but many organizations lack the ability to identify threat activity in their environment. At Cisco, we have assessed the networks of thousands of organizations, and in nearly every instance, we discovered undocumented hosts, risky user behavior, or malicious activity.
Whether it is rogue servers, unauthorized connections, or ongoing data breaches, we’ve harnessed the power of network visibility to identify a variety of suspicious and malicious activity. Now let us share our knowledge with you.
Join Jeff Moncrief, Systems Engineering Manager at Cisco, to learn:
- The reality of how vulnerable enterprise networks are from endpoint to edge
- The security benefits of end-to-end network visibility
- Common problems solved with network visibility
- Stories of real-life threats hidden on networks we’ve assessed
- How to turn your network into a security sensor to gain critical visibility and threat detection capabilities
Botnets gained wide visibility in the last few years, becoming one of the most observed and dangerous threats in the malware landscape. This is mainly due to the fact that botnets represents a very valuable and flexible asset in the arsenal of hackers and APTs. We’ve seen botnets becoming real cyber-weapons, capable of targeting nations and the business of famous companies. For this reason, it is crucial to design techniques able to detect bot-infected hosts at different levels (enterprise, ISP, etc.). Different kind of techniques have been studied and researched in the last years, in a never ending race between attackers and defenders. In this work a representative set of the entire literature is analyzed, enlightening the different kind of state-of-theart approaches that researchers have followed with the ultimate goal of designing effective botnet detection solutions. The objective is producing a taxonomy of the botnet detection techniques, showing possible research directions in designing new techniques to mitigate the risks associated to botnet based attacks.
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
Anonymization techniques are a double-edged sword invention as they can be used by journalists to communicate more safely with whistle blowers or by malicious users to commit cyber-crimes without getting caught but the problem is that neither party is anonymous nor safe from being exposed. In the presentation Mohamed discussed a tool that he developed "dynamicDetect" to de-anonymize TOR clients and browsers and abstracting the user's original IP address and fingerprint. The tool then uses this information as a launchpad to perform defensive and offensive against that TOR user.
This is a presentation about DNS Cache Poisoning which was presented to the Grey H@t club at Georgia Tech. It covers the basics of DNS, how DNS is vulnerable, the effect of exploiting DNS, and the Kaminsky attack.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
The difference between successfully defending an attack or failing to compromise is your ability to understand what’s happening in your network better than your adversary. Choosing the right network security monitoring (NSM) toolset is crucial to effectively monitor, detect, and respond to any potential threats in an organisation’s network.
In this webinar, we’ll uncover the best practices, trends, and challenges in network security monitoring (NSM) and how Elastic is being used as a core component to network security monitoring.
Highlights:
- What is network security monitoring (NSM)?
- Types of network data
- Common toolset
- Overcoming challenges with network security monitoring
- Using Machine Learning for network security monitoring
- Demo
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
18 September 2017 - ION Malta
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the reasons for deploying DNSSEC, examine some of the challenges operators have faced, and address those challenges and move deployment forward.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
OpenDNS Whitepaper: DNS's Role in Botnet C&C
1. SECURITY WHITEPAPER
The Role of DNS in Botnet Command and Control (C&C)
DNS is powerful, ubiquitous and yet ignored by most organizations. Today, cybercriminals rely on DNS
for rallying infected devices to join a botnet and to mitigate takedowns by authorities. In 2011,
cybercriminals started covertly tunneling botnet communications over DNS traffic to mitigate
detection by security solutions, despite security researchers widely publishing this threat in 2004!
QUESTION: What do you know about 101.cnc.com? ANSWER: Analyze logs... RESULT: Post-damage forensics
• Are any devices outside your network trying to resolve Stored on: • Locates infected devices delegated to be
such domain hostnames through your network? • DNS servers, proxies or name servers for botnet C&C.
• Are any devices within your network trying to • Web servers, or • Locates infected devices attempting to tunnel
resolve hostnames to that domain? • Firewalls. botnet C&C communications over DNS.
If you cannot answer the above questions, either because you build botnets to bypass firewall filters or Web proxies.3 Ethical
don’t keep these logs, they’re not readily available, or you hackers have constructed a reverse shellcode exploit that could
wouldn’t know how to analyze them, you’re likely blind to provide cybercriminals VPN and remote access into an insecure
infected devices that have compromised your network by network using valid DNS syntax to avoid detection.4 Furthermore,
performing these botnet command and control (C&C) activities. with the future adoptions of DKIM, IPv6 and other extensions to
the basic DNS protocol, big and complex packets within DNS
Botnet’s principal single point of failure and beacon to security
traffic will become more common. Thereby assisting DNS-based
researchers is its Internet-wide C&C architecture. From 2007-8,
botnet C&C communications to more easily and efficiently blend
cybercriminals began building distributed or hybrid C&C
in since it’ll appear normal in DNS query streams (see page 2).
topologies leveraging more advanced DNS-based C&C rallying
mechanisms, such as third-party dynamic or its own distributed In the arms race between cybercriminal organizations and the
DNS services, to enable C&C communications to be redirected security community, C&C techniques have become so robust,
through its own distributed proxy service. Infected devices within stealth and mobile that botnets are ubiquitous in both home and
insecure home or business networks host these services. DNS is business networks despite so-called “next generation” security
used to add robustness and mobility to remove single points of solutions’ best attempts to prevent all malware. The “defense-
failure within the architecture and provide anonymity for the in-depth” strategy needs to migrate from adding prevention
cybercriminals running botnet C&C servers (see page 2). Fluxing layers, to adding containment layers. DNS traffic is often
domain names and/or the IP addresses in DNS records used by examined after security incidents; for example, Google
botnets makes them more difficult for the security community to discovered the advanced and persistent “Aurora” botnet that
take down or over. breached its network by analyzing DNS logs after damage
occurred. The most costly damage is no longer the lost time for
Today, most botnets rely on a mix of P2P-, HTTP- or IRC-based
IT to remediate infected devices, but the stolen data enclosing
protocols to communicate between bots and/or C&C servers.
sensitive company or personal info for legal and regulatory
However, in late 2011, security researchers began publishing
bodies to resolve.
papers and blogs on botnets, such as “Morto”, “Feederbot” and
“Katusha/Timestamper”, using a covert C&C communication
method known as DNS tunneling to add stealth.1 DNS tunneling “DEFENSE-IN-DEPTH” STRATEGY MIGRATION
is not new; it existed since 1998 and the first implementation DETECT MALWARE PREVENT MALWARE CONTAIN BOTNETS
published by Slashdot in 2000. In 2004, Dan Kaminsky widely
presented his implementation to tunnel arbitrary data over DNS
to the security community, but lost their short-term attention as
other exploited DNS vulnerabilities, such as DNS cache INFECTED DEVICE / UNINFECTED DEVICE INFECTED DEVICE /
poisoning, became more prevalent. 2 Today, many popular DNS INSECURE NETWORK / SECURE NETWORK SECURE NETWORK
tunnels exist that are readily available for cybercriminals to
1
3
http://bit.ly/NSTX_DNS, http://bit.ly/OzymanDNS, http://bit.ly/TCP-over-DNS,
http://bit.ly/Symantec_Morto, http://bit.ly/Dietrich_Feederbot, http://bit.ly/CHMag_Katusha http://bit.ly/Iodine_DNS, http://bit.ly/Dns2tcp, http://bit.ly/DNScat, http://bit.ly/DeNiSe
2
http://bit.ly/Kaminsky_DNStunneling 4
http://bit.ly/Shellcode
2. 1st prototype fully 1st successful P2P-based botnets
Evolution of Botnet C&C P2P-based botnet
1st HTTP-
1st hybrid P2P/HTTP-based botnets
1st Web site/service-
based botnets Web Services
based botnets seed domain
1stIRC- IRC Domain
IRC-based IRC-based based botnets flux Bots change host DNS settings flux crypto
benign bot malicious bot botnet pervasive IP flux (double)
DNS tunneling 1st fully DNS-
DNS tunneling developed for cybercrime IP flux (single) based botnets
P2P !! !! !! !! "! "! "! "! #!
#! #! #! #! #! #!
HTTP $! $! $! $! $! $! !! !! #! #! #! #!
#! #! #! #! #! #!
IRC $! !! !! !! !! "! "! "! "! "! "! #! #! #! #! #! #! #! #! #! #! #! #! #! #! #!
DNS $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! !! !! !! !! !! !! "! "! "! "! "! "! "! #! #! #!
MALWARE (VIRUS, WORMS, TROJANS, ETC.) INFECTED DEVICES ARE CONNECTED BOTNETS ARE
INFECTING DEVICES ARE ISOLATED TO FORM ROBOT NETWORKS (AKA. BOTNETS) UBIQITIOUS
FUTURE
2001
2007
2011
2012
1987
1991
1997
2000
2002
2003
2004
2005
2006
2008
2009
2010
1983
1984
1985
1986
1988
1989
1990
1992
1993
1994
1995
1996
1998
1999
CENTRALIZED C&C TOPOLOGY
DISTRIBUTED C&C TOPOLOGY
HYBRID C&C TOPOLOGY*
DNS-BASED RALLYING
MECHANISMS HELP
CYBERCRIMINALS STOP
TAKEDOWNS BY REMOVING
SINGLE POINTS OF FAILURE
C&C RALLYING MECHANISMS
DYNAMIC & (*one example)
DISTRIBUTED
DNS SERVICES
DNS TRAFFIC HTTP TRAFFIC
REDIRECTED REDIRECTED DNS-BASED C&C COMMUNICATION
can be HELPS AVOID DETECTION BY BLENDING IN
same bot
ns1.cnc.tld ns2.cnc.tld 1.1.1.1 2.2.2.2
cnc.tld
QUERY: QUERY:
flux.cnc.tld RESPONSE: HTTP GET RESPONSE: ONLY ALLOW BASIC
1.1.1.1 C&C PORT 80/443 PORT 53 RESOLVERS
RESPONSE: NO SINKHOLE
1.1.1.1 NO PROXY NO FILTER
QUERY: QUERY: QUERY: QUERY:
flux.cnc.tld LEAK DATA = where is where is where is 11010 + 01010
11010 + 01010 00110. 01010. 11010. + … 00110
QUERY:
flux.cnc.tld DISTRIBUTED + … 00110 cnc.tld? cnc.tld? cnc.tld? = DATA STOLEN
REFERRER: PROXY 01110 + 11011 RESPONSE: RESPONSE: RESPONSE: COMMAND =
ns1.cnc.tld SERVICES + … 11100 00110. 01010. 11010. 01110 + 11011
= CONTROL cnc.tld is cnc.tld is cnc.tld is + … 11100
at 01110 at 11011 at 11100
DNS TUNNELING FOR COVERT C&C COMMUNICATIONS
3.
The Past, Present and Future of Significant Botnet C&C Techniques
C&C Attributes Past Present Future
Centralized topology Distributed or hybrid topology using
RALLYING MECHANISMS
using static IP lists domain flux and/or IP flux (via DNS records)
> Static Lists IP addresses Domain names and/or IP addresses
Dynamic content hidden on popular websites (e.g.
> Domain Flux > Seeding Predictable timestamp Twitter trends) that can be customized in do-it-
yourself kits
> Domain Flux > Crypto Static Frequently changing
> Domain Flux > Names Random characters Dictionary word combinations
> Domain Flux > Volume Hundreds of domains Tens of thousands of domains
Single flux networks changing A Double flux networks changing both A and NS
> IP Flux > Records resource records (first seen in the resource records (first seen in the Asprov botnet in
Storm/Peacomm botnets in 2007) 2008)
Existing dynamic DNS services or
As dynamic DNS services are taking a more
“personalized” third-level domain (3LD)
aggressive stance against botnet abuse, and
services. Alternatively, custom DNS
governments are cooperating quicker with the
servers on bulletproof hosts, which
security community, cybercriminals are building their
> IP Flux > Service allows a cybercriminal to bypass the
own distributed DNS services using multiple
laws or contractual terms of service
compromised hosts. Often these are initially
regulating Internet content and service
bootstrapped via custom DNS servers on bulletproof
use in its country of operation and are
hosts.
unlikely to cooperate with authorities.
Distributed or hybrid Hybrid topology with
Centralized topology using
COMMUNICATION topology using P2P-and/or protocol tunneling such
IRC- or HTTP-based protocols
HTTP-based protocols as DNS traffic
> IRC > Client Common IRC client Cybercriminal’s custom IRC client
Paid do-it-yourself malware exploit kits Paid or open-source do-it-yourself botnet kits
> HTTP > DIY Kits
(e.g. Mpack, ICEPack, Fiesta) (e.g. Zeus, SpyEye, TDSS)
> HTTP > Protocol Unencrypted Encrypted
Public Web 2.0 services (e.g. Amazon Elastic
> HTTP > Hosts Privately owned Web servers Compute Cloud, Google App Engine) and social
network sites (e.g. Twitter, Facebook, Google Groups)
Non-standard port numbers used by P2P standard ports numbers used by common encrypted
> P2P > Port
protocols protocols (e.g. SSH, HTTPS)
> P2P > Protocol Unauthenticated Authenticated
> P2P > Discovery Centralized in cache servers Distribute hashed tables across the network
Trickled, non-
Phone home, data consecutive DNS
> DNS Not used exfiltration and/or bot queries over long time
instructions periods to further
mitigate detection
4.
C&C RALLYING MECHANISM DESCRIPTIONS
The rallying mechanism enables new bots to locate its peers IP Flux
or the C&C servers and join the botnet. While rallying can Modern botnets primarily use one or more hard-coded
also be related to botnet recruitment and propagation, the domain names for DNS servers to resolve to many different IP
following mechanisms are only for the purposes of addresses over a short span of time. This technique is also
networking the bots. widely known as “Fast Flux” Service Networks (FFSN) as it’s
If the security community is 100% successful in shutting also associated with spam and phishing attacks. However,
down or hijacking the rallying mechanisms, the botnet falls the term “IP Flux” best describes the result of rapidly
apart into a benign collection of discrete, unorganized changing the location (i.e. IP address) to which the domain
infections. However, if even a few C&C servers remain alive, name of an Internet host (A) or authoritative name server
the botnet can adapt and reconfigure itself to be undetected (NS) resolves, caused by rapid and repeated changes to DNS
or protected behind the virtual walls of international records using very low time-to-live (TTL) cache settings.
jurisdiction. Several movie analogies come to mind such as Relative to using IP lists, taking down malicious DNS records
Terminator’s shape-shifting T-1000 series cyborg or Star is often more difficult than compromised IP addresses
Trek’s Borg collective; both these entities are very resilient because many records can be established for the same or
unless the entire control mechanism is eliminated. Today, many IP addresses.
botnets use a hybrid of up to all three of the following These locations are actually a network of compromised hosts
techniques, where one may initiate the rallying, one that act as front-end nodes to proxy DNS and C&C
maintains the rallying, and another backs up the rallying if communication protocols to a group of backend C&C servers,
the other one or two are disrupted. commonly referred to as a “fast flux mothership” (see page
2). This second layer of abstraction further increases
Static Lists anonymity, security, high availability and load balancing of
Early botnets primarily used hardcoded static lists of IP the botnet. It makes it nearly impossible to filter only by IP
addresses or domain names. However, many firewalls can address, ASNs or geo-location and adds resiliency to
add an optional feed of known bad IP addresses to help takedown attempts as it shifts the centralizing agent of
mitigate this legacy technique and it is often not agile control from the C&C servers to the distributed DNS
enough for today’s large botnet operations. While some architecture. In many ways the idea is comparable to Content
compromised hosts will initially rely on static IPs to Delivery Networks (CDN). It has evolved and advanced since
bootstrap communications with the botnet, they then switch the The Honeynet Project Research Alliance first discovered
to one of the following, more robust methods. For added its use.
mobility, cybercriminals used domain names with round- The evolution for cybercriminals to use their own
robin/multi-homing techniques to associate multiple IP authoritative name servers has added greater robustness
addresses with a single DNS record or dynamic DNS services, and mobility to IP Flux, and makes successful takedown more
but not abusing them via IP flux, which is described next. difficult for the security community. Alternatively, if the
compromised devices are redirected to the cybercriminals
Domain Flux own recursive DNS servers, bots are able to resolve domain
The botnet uses cryptographically generated domain names names to different IP addresses relative to the rest of the
by a Domain Generation Algorithm (DGA), which makes it Internet, so for example, if a security researcher or other
more difficult for static reputation systems to maintain an network device tries to access the domain, it may appear to
accurate list of all possible C&C domains or for the security not exist. Also, it allows the bot to resolve well-known domain
community to attempt to hijack the domain. Many names (e.g. google.com) to C&C servers.
cybercriminals register only a few of the possible generated
domains at a time using dynamic DNS services. In limited
recent cases such as the “Android bot”, URL Flux has been
used, which is similar to domain flux in that the bot uses a
list of usernames generated by a Username Generation
Algorithm (UGA) from which it selects a username to visit on
a Web 2.0 site.
5.
C&C COMMUNICATION DESCRIPTIONS
Once the bots have joined the botnet, they regularly maintain the century, many first-generation cybercriminals were very
communications to receive new commands, send back data familiar with IRC as a simple, synchronized and scalable
to the C&C servers, such as sensitive company or personal means to chat between thousands of hosts so it was natural
information, or learn how to adapt itself in response to the evolution to utilize it for the first C&C communications in
security community’s efforts to disrupt or take down its 1999. Despite the advent of instant-messaging (IM)
operations. There are advantages and disadvantages as the protocols such as ICQ, AIM, and MSN Messenger that gained
following table explains. popularity over IRC for the masses, many “old school”
networking and security professionals still use IRC. In fact,
Evolution Past Present
the original C&C functionality of three evolved IRC-based bot
Distributed or hybrid, yet families – Agobot, SDBot, and GTBot – still constitute a large
Topology Centralized
many are still centralized percent of today’s botnet infections especially since some of
Protocols IRC or HTTP P2P the source code was published by its author, with occasional
Setup Easy Hard infections by variants of the DSNX, Q8, kaiten, and Perlbot
Detection Easy Hard IRC-based families. While almost the same in principal to
IRC, there have been only a few botnets based on IM
Communication Small delays Small to medium delays protocols due to the difficulty of creating individual IM
Resiliency Bad Good accounts for each bot.
Anonymity Bad Good
Centralized Communications via HTTP-based Protocols
Based on the communication topology, different push and
However, as the security community adapted to use network
pull control mechanisms will be used together with the
firewalls to block seldom used or unnecessary ports at the
communication protocol. Also, command authentication can
Internet gateway, cybercriminals realized that a more
be added to the communication protocol such as passwords
ubiquitous C&C protocol was needed to blend in with normal
or encryption certificates to help mitigate outsiders taking
user traffic. Ports 80 and 443 used for unencrypted and
command over the botnet from the cybercriminals; especially
encrypted Web traffic over HTTP/S is almost universally
with P2P-based protocols.
allowed through firewalls, and a few GET and POST requests
Direction / used for C&C can easily be lost amongst the exponentially
Topology Centralized Distributed
growing volume of legitimate Web traffic. HTTP-based
DDoS & spam botnets greatly accelerated with advances in do-it-yourself
Push IRC-based protocols
attacks kits developed mainly by professional Russian cybercriminals
HTTP-based protocols, IP Flux P2P-based to aspiring amateur cybercriminals, and in mid-2011 several
Pull botnet kits were leaked. Recently, public or social Web
rallying mechanisms protocols
services have been gaining popularity as C&C hosts via
obfuscated commands due to their added anonymity,
Centralized Topologies
openness and scalability. However, the security research
All early botnets and still the majority of botnets today use community can also leverage this openness to quickly shut
centralized topologies via HTTP-based, IRC-based or other such botnets down. IDS/IPS solutions can often detect
protocols because they are easier to setup and ensure that suspicious URI strings or nonstandard HTTP headers (e.g.
new commands are disseminated to large botnet populations Entity-Info, Magic-Number) used by botnets (e.g. Bredolab).
quickly. However, centralized C&C servers are easier to
detect and become a single point of failure for the botnet Centralized Communications via Other Protocols
(see page 2).
FTP isn‘t commonly seen in the wild; however, several
phishing or banking Trojan horses regularly drops off stolen
Centralized Communications via IRC-based Protocols
data to FTP servers. Some botnets use custom UDP-only
Only one year after the IRC protocol was invented in 1988 protocols, which while easily blocked by business networks,
programmers created the first bots to enable chat room (aka. often are able to bypass misconfigured firewalls.
channel) operators to log in, ensure the channel remained
open, and to give them non-malicious control. At the turn of
6.
Distributed Topologies (via P2P-based protocols) Hybrid Topologies
Peer-to-peer (P2P) communications were created to Advanced hybrid, hierarchal C&C architectures combine the
distribute file sharing (e.g. MP3s) amongst large stealth from a few centralized C&C servers and robustness
populations. From 1999 to 2003, P2P topologies and from distributed peers to prevent take down. For example,
protocols quickly evolved to add robustness, stealth and one group of bots act as servants since they behave as both
mobility from the recording industry’s and ISP’s attempts to clients and servers, which have static, non-private IP
disrupt communications and/or prosecute guilty individuals; addresses and is accessible from the global Internet. The
exactly what cybercriminals also seek for their botnet C&C second group of bots only act as clients since they don’t
communications. Using structured P2P communications as a accept incoming connections. The second group contains the
C&C topology was first envisioned as early as 2000, but the remaining bots, including: (1) bots with dynamic IP
first botnets to use it appeared in 2003, the security research addresses; (2) private IP addresses; or (3) bots behind
community began to publish its use in 2005, and it wasn’t firewalls such that they cannot be connected from the global
until 2006 that they achieved some limited success. The bots Internet. Only servant bots are candidates in peer lists.
are able to loosely communicate amongst its peers using the Another example, is the Hierarchical Kademlia bot, which
same or similar non-RFC TCP, UDP (used to bypass NAT extends the base Kademlia bot. Each level in the hierarchy
situations) or encrypted ICMP protocols as many file sharing consists of a set of clusters or islands of bots. These clusters
clients (see page 2). This topology offers the botnet better use Kademlia for intra-cluster communication. Each cluster
anonymity and resiliency without any single points of failure has a super peer that is responsible for communicating with
at the expense of higher setup overhead and communication other super peers in the next level up in the hierarchy. The
latency. However, since the knowledge about participating super peers thus facilitate inter-cluster communication (see
peers is distributed throughout the botnet itself, which gives page 2).
the security research community equal access to this
information, cybercriminals evolved the standard P2P
protocols to include proprietary authentications.
A future evolution for P2P-based botnet C&C would be to
blend in with common encrypted P2P protocol traffic
ubiquitously within business networks. Fortunately, only one
protocol really exists today; Skype. Despite known malware
instances using Skype plugins and its API, to the best of the
security community’s knowledge, Skype-based botnets are
still exclusively theoretical. In 2005, researchers presented
an extremely distributed C&C topology using random,
unstructured P2P communications broadcast to any other
available peers. While one of the very first experimental P2P
botnets in 2003 had used such a method, it was not
successful, and no other botnets have since been reported to
use this topology.
Overall, despite the advancements that cybercriminals have
developed, some of the oldest botnet C&C communication
techniques are still being used today due to their availability
via open or leaked source code, or do-it-yourself kits. The
table below provides a few data
C&C Apr 2008 2008 2009 Q2 2010 2011
points published by the security
Communications Arbor Networks Symantec Symantec Microsoft govcert.nl
community over the past few years.
Centralized / IRC 90% 44% 31% 38.2% 30%
Centralized / HTTP 4% 57% 69% 29.1%
Distributed / P2P 5% n/a n/a 2.3% 70%
Other 1%` n/a n/a 30.5%
7.
DNS-based Communications within Any Topology
Notable Quote from Ed Skoudis, Founder of Counter Hack
Essentially, DNS records are abused to traffic data in and out Challenges and SANS Fellow (Feb 2012)
of a network. Every type of record (NULL, TXT, SRV, MX, “Number of malware threats that receive instructions from
CNAME or A) can be used, but the speed of the connection attackers through DNS is expected to increase, and most
companies are not currently scanning for such activity on
differs by the amount of data that can be stored in a single their networks, security experts said at the RSA Conference
record (see page 2). 2012 on Tuesday. While most malware-generated traffic
passing through most channels used for communicating
The outbound phase starts with the bot on the compromised with botnets (such as TCP, IRC, HTTP or Twitter feeds and
device requesting a response from the local host or network Facebook walls) can be detected and blocked, it's not the
case for DNS (Domain Name System) and attackers are
DNS server for a DNS query to [data].cnc-domain.tld. The taking advantage of that.”
data (base32-encoded) is split and placed in the third- and http://www.circleid.com/posts/malware_increasingly_uses_dns_as_command_and_control_channel/
lower-level domain name labels of multiple queries. Since
there will be no cached response on either local DNS server,
the requests are forwarded to the ISP’s recursive DNS
servers, which in turn will get responses from the
cybercriminal’s authoritative name server.
For the inbound phase, TXT records can store the most data
(base64-encoded) as typically suggested in DNS tunnel
implementations up to 110 kbps, but may not be ideal for
botnets to avoid detection by network devices since these are
not common records. Unfortunately simply blocking TXT
records as a defense method is insufficient, because it will
break other protocols (e.g. SPF, DKIM) and alternative DNS
records such as CNAME are common, and used in series, can
still transmit detailed instructions for the compromised host
to act on.
Alternatively, if two-way communication is not necessary,
either the queries or responses can exclude the encoded
outbound or inbound data, respectively. This would make the
transfer more inconspicuous to avoid anomaly detection
systems.
At present time, there are not many countermeasures cited
by the security community that are “silver bullets” to detect
DNS-based botnet C&C communications. While some larger,
security-aware organizations could use techniques such as
“split horizon” DNS to force internal hosts to send their DNS
requests only through the network DNS server and then use
statistical anomaly detection (aka. signatures) for this DNS
traffic, there are unfortunately little to no readily-available
signatures that are well tested to both guarantee protection
and cause no false positives.