Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority Reporter: Jing Chiu Adviser: Yuh-Jye Lee 1 Data Mining & Machine Learning Lab 2015/4/13 Reference Corrupted DNS Resolution Paths:The Rise of a Malicious Resolution Authority 2 Authors: David Dagon, Niels Provos, Christopher P. Lee, and Wenke Lee. Conference: Network and Distributed Security Symposium (NDSS )2008. Data Mining & Machine Learning Lab 2015/4/13 Outline Introduction Methodology Analysis Conclusion 3 Data Mining & Machine Learning Lab 2015/4/13 Introduction DNS resolution path corruption Rogue DNS service 4 Data Mining & Machine Learning Lab 2015/4/13 Methodology Organizing IPv4 into a series of classful addresses Using bogons list published by Team Cymru Exclude U.S. Military and U.S. government Design Query Pattern Blowfish(IP).parentzone.example.com Select 600,000 resolvers 200,000 uniformly randomly from all resolvers 200,000 from resolvers overlapped with contacting Google 200,000 from IP addresses known infected by Storm bot Ask these resolvers to resolve 84 different domains during 4 days 5 Data Mining & Machine Learning Lab 2015/4/13 Methodology (cont.) 6 Data Mining & Machine Learning Lab 2015/4/13 Analysis Open resolvers found 7 10.4 million – late August 2007 10.5 million – early September 2007 Union of two sets: 17,365,759 634,941 – January 2006 Data Mining & Machine Learning Lab 2015/4/13 Analysis (cont) 8 Data Mining & Machine Learning Lab 2015/4/13 Analysis (cont.) 9 Data Mining & Machine Learning Lab 2015/4/13 Analysis 10 Data Mining & Machine Learning Lab 2015/4/13 Conclusion DNSSEC Blocking DNS with authority Block the remote DNS traffic Recovery 11 After blocking or take down the Rogue DNS? Data Mining & Machine Learning Lab 2015/4/13 Thanks for attension Questions? 12 Data Mining & Machine Learning Lab 2015/4/13