SlideShare a Scribd company logo

Passive DNS Collection – Henry Stern, Cisco

Henry Stern
Henry Stern
1 of 11
Download to read offline
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco CSIRT’s Passive DNS Collection and Searching System Henry Stern
Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 •  Complex data: Time, source, destination, question, answer, additional records. •  What did a name resolve to and when? •  What else resolved to this IP? •  What else is served by this name server? •  Solution: Passive DNS Replication •  https://dnsdb.isc.org/ •  http://www.bfk.de/bfk_dnslogger.html •  http://www.enyo.de/fw/software/dnslogger/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 •  Simple data: Source IP. Destination IP. Question – qname and qtype. •  Great for forensics. •  Who looked up this name? •  Who is a member of this botnet? •  What did this host look up?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 •  130k active Windows hosts at any given time. •  90k active Linux hosts at any given time. •  10 billion Netflows captured at zone boundaries. •  IDS sensors at all zone boundaries. •  1 Tb of security event log data. •  13 data centres, DMZs covered with PDNS. •  4 billion DNS and NetBIOS packets captured per day. •  300gb of traffic captured per day.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 •  Data captured with ncaptool. •  Search engine written in Python+Pyrex. •  Uses libbind/Strangle, pyncap, IPy, pySubnetTree, list2re, pybloomfilter. •  Files are indexed with a Bloom filter. Quickly determines whether a file contains entries that match a query. Pre-computation by cron job. •  Distributed search client/server. JSON-based protocol. Use SSL certs for authentication. Future: Switch to HTTPS+SRP.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 usage: pdns-search [-h] [--src-ip [SRC_IP [SRC_IP ...]]] [--dst-ip [DST_IP [DST_IP ...]]] [--qname [QNAME [QNAME ...]]] [--qtype [QTYPE [QTYPE ...]]] [--nbname [NBNAME [NBNAME ...]]] [--nbtype [NBTYPE [NBTYPE ...]]] [--nbsuffix [NBSUFFIX [NBSUFFIX ...]]] [--max-results MAX_RESULTS] [--start START] [--end END] [--no-extract] [--no-expand] [--no-progress] [--print-server] [--print-protocol]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 $ pdns-search --qname bfisback.no-ip.org --max-results 4! ! ! ! ! ! ! ! ! ! ! Search: 100% |################| Time: 0:00:03 Files: 780/780! Timestamp Source Destination QName QType 2012-08-21 12:26:28 ELIDED 64.102.255.44 bfisback.no-ip.org A 2012-08-21 12:26:28 64.102.255.43 69.65.40.108 bfisback.no-ip.org A 2012-08-21 13:03:19 ELIDED 64.102.255.44 bfisback.no-ip.org A 2012-08-21 13:03:19 64.102.255.43 69.72.255.8 bfisback.no-ip.org A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 •  Fill in gaps in Netflow coverage. •  Alert on queries for dangerous domain names. •  Look for patterns in queries to discover C2 servers. •  Monitor queries about high-value targets. •  Watch for new names hosted on dangerous networks. •  Discover new dangerous networks.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 •  Tell us when DNS responses have changed. •  Automatically feed the data to other systems. •  Integrate our searches with external systems. Logs (Splunk) Flows (Lancope) SenderBase Network Participation

Recommended

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 

Recommended

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD ExtentionsNina Buchina
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
6 technical-dns-workshop-day3
6 technical-dns-workshop-day36 technical-dns-workshop-day3
6 technical-dns-workshop-day3DNS Entrepreneurship Center
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2DNS Entrepreneurship Center
 
DNS-SD
DNS-SDDNS-SD
DNS-SDnetvis
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdfHaitamSouissi1
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"Rinaldi Rampen
 

More Related Content

What's hot

The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNS-SD
DNS-SDDNS-SD
DNS-SDnetvis
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 

What's hot (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
6 technical-dns-workshop-day3
6 technical-dns-workshop-day36 technical-dns-workshop-day3
6 technical-dns-workshop-day3
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 

Similar to Passive DNS Collection – Henry Stern, Cisco

"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"Rinaldi Rampen
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
Devicemgmt
DevicemgmtDevicemgmt
Devicemgmtxyxz
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A BudgetKevinRiley83
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Positive Hack Days
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Host Intrusion Detection like a Boss
Host Intrusion Detection like a BossHost Intrusion Detection like a Boss
Host Intrusion Detection like a BossAndré Lima
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Why favour Icinga over Nagios - Rootconf 2015
Why favour Icinga over Nagios - Rootconf 2015Why favour Icinga over Nagios - Rootconf 2015
Why favour Icinga over Nagios - Rootconf 2015Icinga
 
Update on IPv6 activity in CERNET2
Update on IPv6 activity in CERNET2Update on IPv6 activity in CERNET2
Update on IPv6 activity in CERNET2APNIC
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewHari
 

Similar to Passive DNS Collection – Henry Stern, Cisco (20)

BRKSEC-3144.pdf
BRKSEC-3144.pdfBRKSEC-3144.pdf
BRKSEC-3144.pdf
 
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk""Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
Security myth of i pv6 and dns64
Security myth of i pv6 and dns64Security myth of i pv6 and dns64
Security myth of i pv6 and dns64
 
Devicemgmt
DevicemgmtDevicemgmt
Devicemgmt
 
Blue Teaming On A Budget
Blue Teaming On A BudgetBlue Teaming On A Budget
Blue Teaming On A Budget
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
 
Ipv6
Ipv6Ipv6
Ipv6
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Host Intrusion Detection like a Boss
Host Intrusion Detection like a BossHost Intrusion Detection like a Boss
Host Intrusion Detection like a Boss
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilson
 
Why favour Icinga over Nagios - Rootconf 2015
Why favour Icinga over Nagios - Rootconf 2015Why favour Icinga over Nagios - Rootconf 2015
Why favour Icinga over Nagios - Rootconf 2015
 
Update on IPv6 activity in CERNET2
Update on IPv6 activity in CERNET2Update on IPv6 activity in CERNET2
Update on IPv6 activity in CERNET2
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
 

Passive DNS Collection – Henry Stern, Cisco

  • 1. Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco CSIRT’s Passive DNS Collection and Searching System Henry Stern
  • 2. Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
  • 3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 •  Complex data: Time, source, destination, question, answer, additional records. •  What did a name resolve to and when? •  What else resolved to this IP? •  What else is served by this name server? •  Solution: Passive DNS Replication •  https://dnsdb.isc.org/ •  http://www.bfk.de/bfk_dnslogger.html •  http://www.enyo.de/fw/software/dnslogger/
  • 4. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 •  Simple data: Source IP. Destination IP. Question – qname and qtype. •  Great for forensics. •  Who looked up this name? •  Who is a member of this botnet? •  What did this host look up?
  • 5. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 •  130k active Windows hosts at any given time. •  90k active Linux hosts at any given time. •  10 billion Netflows captured at zone boundaries. •  IDS sensors at all zone boundaries. •  1 Tb of security event log data. •  13 data centres, DMZs covered with PDNS. •  4 billion DNS and NetBIOS packets captured per day. •  300gb of traffic captured per day.
  • 7. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 •  Data captured with ncaptool. •  Search engine written in Python+Pyrex. •  Uses libbind/Strangle, pyncap, IPy, pySubnetTree, list2re, pybloomfilter. •  Files are indexed with a Bloom filter. Quickly determines whether a file contains entries that match a query. Pre-computation by cron job. •  Distributed search client/server. JSON-based protocol. Use SSL certs for authentication. Future: Switch to HTTPS+SRP.
  • 8. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 usage: pdns-search [-h] [--src-ip [SRC_IP [SRC_IP ...]]] [--dst-ip [DST_IP [DST_IP ...]]] [--qname [QNAME [QNAME ...]]] [--qtype [QTYPE [QTYPE ...]]] [--nbname [NBNAME [NBNAME ...]]] [--nbtype [NBTYPE [NBTYPE ...]]] [--nbsuffix [NBSUFFIX [NBSUFFIX ...]]] [--max-results MAX_RESULTS] [--start START] [--end END] [--no-extract] [--no-expand] [--no-progress] [--print-server] [--print-protocol]
  • 9. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 $ pdns-search --qname bfisback.no-ip.org --max-results 4! ! ! ! ! ! ! ! ! ! ! Search: 100% |################| Time: 0:00:03 Files: 780/780! Timestamp Source Destination QName QType 2012-08-21 12:26:28 ELIDED 64.102.255.44 bfisback.no-ip.org A 2012-08-21 12:26:28 64.102.255.43 69.65.40.108 bfisback.no-ip.org A 2012-08-21 13:03:19 ELIDED 64.102.255.44 bfisback.no-ip.org A 2012-08-21 13:03:19 64.102.255.43 69.72.255.8 bfisback.no-ip.org A
  • 10. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 •  Fill in gaps in Netflow coverage. •  Alert on queries for dangerous domain names. •  Look for patterns in queries to discover C2 servers. •  Monitor queries about high-value targets. •  Watch for new names hosted on dangerous networks. •  Discover new dangerous networks.
  • 11. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 •  Tell us when DNS responses have changed. •  Automatically feed the data to other systems. •  Integrate our searches with external systems. Logs (Splunk) Flows (Lancope) SenderBase Network Participation