Corrupted DNS Resolution Paths:
The Rise of a Malicious Resolution Authority
Reporter: Jing Chiu
Adviser: Yuh-Jye Lee
1
Data Mining & Machine Learning Lab
2015/4/13
Reference
Corrupted DNS Resolution Paths:The Rise of a
Malicious Resolution Authority



2
Authors:
David Dagon, Niels Provos, Christopher P. Lee, and Wenke Lee.
Conference:
Network and Distributed Security Symposium (NDSS )2008.
Data Mining & Machine Learning Lab
2015/4/13
Outline
Introduction
Methodology
Analysis
Conclusion




3
Data Mining & Machine Learning Lab
2015/4/13
Introduction
DNS resolution path corruption
Rogue DNS service


4
Data Mining & Machine Learning Lab
2015/4/13
Methodology
Organizing IPv4 into a series of classful addresses



Using bogons list published by Team Cymru
Exclude U.S. Military and U.S. government
Design Query Pattern


Blowfish(IP).parentzone.example.com
Select 600,000 resolvers




200,000 uniformly randomly from all resolvers
200,000 from resolvers overlapped with contacting Google
200,000 from IP addresses known infected by Storm bot
Ask these resolvers to resolve 84 different domains
during 4 days

5
Data Mining & Machine Learning Lab
2015/4/13
Methodology (cont.)
6
Data Mining & Machine Learning Lab
2015/4/13
Analysis
Open resolvers found





7
10.4 million – late August 2007
10.5 million – early September 2007
Union of two sets: 17,365,759
634,941 – January 2006
Data Mining & Machine Learning Lab
2015/4/13
Analysis (cont)
8
Data Mining & Machine Learning Lab
2015/4/13
Analysis (cont.)
9
Data Mining & Machine Learning Lab
2015/4/13
Analysis
10
Data Mining & Machine Learning Lab
2015/4/13
Conclusion

DNSSEC


Blocking


DNS with authority
Block the remote DNS traffic
Recovery

11
After blocking or take down the Rogue DNS?
Data Mining & Machine Learning Lab
2015/4/13
Thanks for attension

Questions?
12
Data Mining & Machine Learning Lab
2015/4/13