版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)
文檔簡介
MultivariateSolutionsto
PassiveDNSChallenges
MerikeKaeo
CTOFarsightSecurity
merike@fsi.io
Agenda
?TypicalPassiveDNSUse
?PassiveDNSChallenges
?MultivariateSolutions
?UnderstandingWHOISandGeolocation
?MaliciousCampaignsduringPublicEvents
TYPICALPASSIVEDNS
USES
HowPassiveDNSNormallyWorks
?Startwithaknown/observedbaddatapoint
?Domainname
?Nameserver
?IPaddress/CIDR
?ASN
?UsePassiveDNStofindotherIPsordomainnamesthatsharethesameresources
?Leveragereputationlocalitybutcarefullyreviewwhatyou’vefound
UNIvariateApproaches
?Useasinglepointofcommonalityasawaytoidentifyrelateddomains
?SAMEexactIP?
?SAMEexactnameserver?
?SAMEexactdomainnameusedovertime(ifyouareinterestedinthesetofIPsthatanamehasbeenusing)
?Eachreliesonasingleattribute,exactlymatched
SimplepDNSWorksWellWhen….
?ManyrelateddomainscoexistonasingleIP(orsmallCIDRblock),withnoinnocent3rdpartydomains
?Manyrelateddomainsusethesamesetofdedicatednameservers,withnoinnocent3rdpartydomains
?Themalicioususerisapparentlystubbornlyfondofafavoritedomain
PASSIVEDNS
CHALLENGES
WhenSimplepDNSDoesNOTWork
?ZEROinterrelateddatapoints–e.g.“l(fā)onewolf”domainnames,IPaddresses,nameservers,etc.
?Toomanyrelatedresources
?Maliciousresourcesarecomingledwithinnocent3rdpartyresources
LoneWolfScenario
ThecybercriminalreusesNOTHINGacrosssites
?EveryIPaddressusedtosendSPAMorhostcontentistotallyunrelatedtoanyotherIpsthecriminaluses
?Everydomainnameisregisteredusing:
?Adiverseassortmentofregistrars,oneortwoatatime
?Uniquenameservers(installedandoperatedonuniqueIPs)
?Unique/fictitious(orconcealed)POCdetails
?Unique(oranonymous)paymentdetails
PoorlyDocumentedResourceAssignments
?Example#1:ProviderfailstodocumentIPreassignments/reallocationsinIPWHOISorrWHOIS,andanabuserrepeatedlymoves(orismoved)aroundasinglelargenetworkblock,oramongmultiplesmallerblocks.
?Example#2:WHOISPOCdetailsareconcealedbyaWHOISproxy/privacyservice
OvercomingObfuscation
?Lookforothercharacteristicsthatmaynotbeobfuscated,orseektostripawayanonymity
?Examples
?Ifnameserversservicealargenumberofdomains,andthusarenotausefulattributetotrytofollow,lookattheIPaddress(es)thebaddomainishostedon,instead.
?Ifadomainisdemonstrablyengagedinphishingorotherclearlyillegalbehavior,someprivacy/proxyprotectionserviceshavetermsofservicewhichallowtheprovidertounilaterallystripprivacyprotections.
OvercomingReverseProxies
?WithReverseProxies,everythingseemsto“l(fā)iveonthereverseproxy’sIPaddresses”
?Carefullyscrutinizenon-A/non-AAAADNSrecordsthatmaybepresent(e.g.MX,TXT,etc)
?Reverseproxyoperatorsarealsopotentiallyaterrifictargetbylawenforcement
PerformanceMarketingURLs
?EncodedURLs,uniquetoeachspecificrecipient
?BecauseeachURLisuniquetoeachrecipient,visitingtheURL(typicallytoinvestigatethesitebeingspamvertised)means:
?Confirmingyou'veopenedthemessageandclickedthrough(establishingapotentialargumentthatyou've"opted-in")
?Mayresultinyou"using-up"aURLcodedforone-time-use(trythesameURLa2ndor3rdtime?Itmaygonowhere)
?Forwarding"sanitized"spamplesincomplaintsmayyieldURLsthatsimplydon'twork,orwhichwork"misleadingly."
?Forwarding"rawspamplesincomplaints"outs"yourspamcollectioninfrastructureandmayresultin"listwashing.”
MULTIVARIATE
SOLUTIONS
PointsInAnn-DimensionalSpace
?Inamultivariateapproachwelookatmorethanonemeasurementatthesametime
?Thisallows“interactions”tobeaccountedfor
?xbyitself?okay
?ybyitself?okay
?xandycombinedtogether?DoesNOTwork!
?NOTcombiningmultipleattributesintoasinglescore,comparedagainstathreshold(SPamAssassinstyle)
?NOTjustsuccessiveapplicationofindependentunivariatefilters,either
ASimpleTwo-DNormalDistribution
/wiki/File:Multivariate_normal_sample.svg
TheDataWeHave
?CurrentlypassiveDNScapturesdataaboutthreemaintypesofDNS-relatedentities:
?Names
?IPs
?NameServers
?Noneofthatisbeautifulcontinuousdata
?Ifyouattempttovisualizeit,itwillNOTlookliketheprettygraphontheprecedingpage
Statisticaloptionsfornominaldata
arelimited:youcandocrosstabs,but(a)that'snotverystatistically"sexy,"and(b)interpretation
becomeshardasthetablesizeincreases
AugmentingClassispDNS
?CombinepassiveDNSdatawithothernon-DNSdatatogo“multivariate”
?Non-DNSdatacouldbepre-existingdatasuchasdomainWHOISorIPWHOISdata
?CollectnewdatatoaugmentpassiveDNSdataset(whereactivescanningisallowedbylawandbyyournetworktermsofservice)
?Forexample,fingerprint/scanhostswithNMAPorasimilarscanningtooltoseewhatpatternsofports(ifany)areopenonarangeofIPaddresses
UNDERSTANDINGWHOIS
andGEOLOCATION
RegisteringaDomainName-WHOIS
?Createanewdomainname
?Specifythedomainyouwanttoregister
?Provide(supposedlyaccurate)pointofcontact(POC)details
?DecideifyouwanttohavethosePOCdetails“unlisted”throughuseofaprivacy/proxyregistrationservice
?DefinetheauthoritativenameserversthatknowhowtomapyourdomainstotheIPaddress(es)ofyourserver
?Payanannualfeetotheregistrar
?POCinformationandrelateddetailsaboutmostdomainsgetaddedtoanonlinedatabase-WHOIS
WHOISandRealWorldIdentities
?Cluestoregistrant“realworld”identityinWHOIS
?Theirname(butclaimednamemaybebogus,orsomeoneelse’snameusedwithoutauthorization)
?Astreetaddress(canbea3rdpartymaildrop,incomplete,fictitious,etc)
?Aphonenumber(maybeaprepaid“burner”phone)
?Anemailaddress(maybethrowawayandonlyusedonce)
?Ifyouhavetheabilitytogetacourtorder
?Theircreditcardnumber(maybestolenorprepaidorpaidusingBitcoin)
?AnIPaddressformwhichtheyplacedtheirorder,etc.
Proxy/PrivacyServices
?Proxy/privacyprotectionmaybefree(bundledwithadomain’sregistration),orofferedasanextracostservice
?Proxy/privacyservicesallowregistrantstoconcealtheircontactdetailsfrompublicdisplay
?Evenifused,LEOscanstillseekacourtordertostripadomain’sproxy/privacystatusortodirectlyobtainunderlyingdetails(butthiscanbeapainandunderlyingdetailsmaystillbebogusorrequireadditional
deobfuscation)[/2015/07/how-to-register-a-gtld-domain-name-without-disclosing-personal-data.html]
?Someproxy/privacyserviceprovidersmayhaveTOSwhichallowthemtounilaterallyremoveprotectionsforadomain(ifadomainisobviouslybeingmisused,e.g.forphishingorSPAM)
Geo-LocationServices
?IPaddressesmayhaveanassociatedgeolocation(fromIPWHOIS)
?IPaddressesmayALSOhaveanassociatedgeolocationfromageoIPdatabase
?Domainsmayhaveanassociatedgeolocation(fromdomainWHOIS)
?IPaddressesmayhaveanassociategeolocationduetouseofacountrycodeTLD
Inconsistenciesmaybeinnocentorasignofsomethingworthscrutiny
ccTLDs
?ICANNadministersglobaltopleveldomains(gTLDs)suchas.com,.net,.org,.biz,.info,etc.)ICANNrequiresWHOISservice(althoughtheypermitprivacy/proxyregistrations)
?CountrycodeTLDs(ccTLDs)arerunaccordingtotheirownrules.SomeofthemhavepolicieswhichlimitpublicaccesstotheWHOISdataforany/alloftheirdomains[*IF*theWHOISinformationactuallyexists]
?WHOISinformationmayonlybeavailableandusablebyregisteredusers
?SomeWHOISinformationmaybedisplayedingraphicalformattohinderautomated“scraping”/cut-n-pastingofWHOISdata
?WHOISaccessmaybestrictlyratelimited,withaccessslowedorblockedaltogetherafterjustahandfulofdomainsarecheckedfromthesameIPaddress
MALICIOUSCAMPAIGNS
DURINGPUBLICEVENTS
Getting‘Simple’pDNSData
$nmsgtool-Cch208-c5000000|greprrname|awk'{print$2}'|sed's/.$//’|grep"olym"|grep-v"polymer">olymp.txt
$reverse-domain-names<olymp.txt|sort|uniq-c|sort-nr>temp-olym.txt
com.rio-2016-olympics-live.www
com.nbcolympics
ru.club-olymp
ernet-olympiade
com.olympicbiofeedback
com.olympianeagleathletics
za.co.olympicpaints
.top-olympia
ru.winterolympics2014
ru.winterolympic-2014
ru.cityolympic
hu.olympingaruhaz
edu.tjhsst.olympus
de.mathematik-olympiaden
net.freakolympics.www
com.olympusrugby
com.olympusdl
com.olymposgozleme
com.franceolympique.cotedor
com.dealsaver.olympia
com.catsummerolympics
.olympicssports
NewlyObservedDomainNames(NOD)
?Mostnewdomains(<24hours)arenefarious
?60%ofSPAMstudiedusedheaderorenvelopedomain<24hoursold
?Mostnewdomainsdon’tyethaveareputation
?NODasStreams(newlyactivevsnewlyobserved)
?NODasFeeds(RPZ–DNSFirewall;RHSBL–SpamAssassin)
?Variousintervalsavailable(5m,10m,30m,1hr,6hr,12hr,24hr)
?
?
?
?
?
?
?
?
?
?
?
?
NOD(Aug
1363288-irish-executive-arrested-in-rio-olympics-ticket-raid[dot]page
derelict-and-deserted-the-ghost-of-former-olympic-sites[dot]page
helen-skelton-strictly-come-dancing-olympics-bbc[dot]page
olympic-council-of-ireland-employee-arrested-in-ticket-raid[dot]page
olympic-diving-pool-turns-green-and-baffles-competitors[dot]page
olympic-rio-gang-steal-dog-pet[dot]page
Olympicsgames[dot]club
rio-2016-diving-pool-green-olympics-tom-daley[dot]page
rio-olympics-gymnast-breaks-leg-video[dot]page
Rio2016olympics[dot]today
rio-olympics2016[dot]online
Rioolympics2016[dot]today
10-11,2016)
?Rioolympicsgame[dot]club
?Rioolympics[dot]solutions
?Rioolympics[dot]space
?Rioolympics[dot]tech
?Riosportsolympics[dot]online
?Olympicsrio2016[dot]online
?Olympicsrio2016[dot]today
?Watchbrazilolympics[dot]online
?watch-olympics16-livesnow[dot]ga
?Watchtheolympics[dot]online
?Winterolympics2018[dot]xyz
?Winterolympics[dot]press
NOD(Aug10-11,2016)
?
?
?
?
?
?
?
?
?
?
?
?
Dolympic]dot]de
Esportolympics[dot]nl
Esportsolympics[dot]nl
Jordan72016olympic[dot]cc
Olympicamsterdam[dot]nl
Olympicbikes[dot]nl
Olympiccasino[dot]nl
Olympicconsultants[dot]nl
Olympiccrowdfunding[dot]de
Olympiccrowdfunding[dot]nl
Olympicentertainment[dot]nl
Olympicgamesnews[dot]de
?Olympichub[dot]nl
?Olympicit[dot]nl
?olympic-klasse[dot]de
?olympic-land[dot]de
?olympic-land[dot]nl
?Olympicland[dot]nl
?Olympicnews[dot]io
?Olympicoffers[dot]de
?olympic-parc[dot]de
?olympic-parc[dot]nl
?Olympicpetfood[dot]nl
?olympic-travel[dot]de
?Olympicycles[dot]nl
?Radiolympic[dot]nl
?Radiolympics[dot]nl
?Sociolympic[dot]nl
?Sociolympics[dot]nl
?Specialolympics2017[dot]nl
?Theolympic[dot]nl
?Theolympicstandard[dot]biz
?Usolympicsnews[dot]com
?Vrolympics[dot]cn
?Winterolympic2018[dot]net
Example1:WHOISandGeoIP
Queriesfrom:
Example2:WHOISandGeoIP
merike@pDNS:~$domain
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 初中教師崗位聘任合同范例
- 地倉化肥銷售合同范例
- 母牛購銷合同范例
- 付材料款合同范例
- 企業(yè)人事合同范例
- 房車用地出售合同范例
- 橙子供貨合同范例
- 社區(qū)居委會宣傳合同范例
- 展臺搭建乙方合同范例
- 江西公路合同范例
- 五年級數(shù)學(xué)(小數(shù)乘除法)計算題專項練習(xí)及答案
- 《機(jī)電概念設(shè)計基礎(chǔ)》課件-運(yùn)行時行為
- 2024-2030年中國奶粉行業(yè)營銷策略及未來5發(fā)展趨勢報告
- 2024年度危化品安全管理員聘用合同2篇
- 2025屆杭州第二中學(xué)高三第五次模擬考試數(shù)學(xué)試卷含解析
- 2024河北省建筑安全員-A證考試題庫及答案
- 開題報告:新業(yè)態(tài)下大學(xué)生高質(zhì)量充分就業(yè)實(shí)現(xiàn)路徑研究-基于雙邊匹配的視角
- 山東實(shí)驗(yàn)中學(xué)2025屆高三第三次診斷考試 英語試卷(含答案)
- 醫(yī)院滿意度調(diào)查系統(tǒng)方案
- 2024年度企業(yè)信息化建設(shè)與技術(shù)實(shí)施合同3篇
- 2024年秋季新統(tǒng)編版七年級上冊道德與法治全冊教案
評論
0/150
提交評論