Add to collection(s) Add to saved
  1. No category

Fast flux problem

advertisement 
The centre of registration of
domains
«FAST-FLUX problem
&
domains registrars»
Pavel Khramtsov (paul@nic.ru)
Slovenia-2009
DNS – the most popular
themes (threads)
 Spoofing – DNS server`s answer substitution
(solution – DNSSEC).
 Confiker – botnet creator (solution – preventive
bulk registration)
 Fast-flux – dynamic change of the address
resource record – name/address link(solution –
UNKNOUN!!!).
RU-CENTER - www.nic.ru
2
Fast-Flux: term definition
 “Fast flux” refers to rapid and repeated changes
to an Internet host (A) and/or name server (NS)
resource record in a DNS zone, which have the
effect of rapidly changing the location (IP
address) to which the domain name of an A or
NS resolves.
 Fast flux attack networks are robust, resource
obfuscating service delivery infrastructures.
Such infrastructures make it difficult for system
administrators and law enforcement agents to
shut down active scams and identify the
criminals operating them.
RU-CENTER - www.nic.ru
3
DNS & Web
HTTP – server
(194.32.33.1)
DNS - server
3. GET http://site.ru
HTTP/1.1
Host: site.ru
2. Site.ru A
194.32.33.1
4. 200 Ok…
1. Site.ru A ?
User
RU-CENTER - www.nic.ru
4
DNS & Web in detail
ROOT
3. .ru NS ns2.ripn.net
2. Site.ru A ?
Cache
DNS - server
Ns2.ripn.net
4. Site.ru A ?
5. .site.ru NS n1.site.ru
HTTP – server
(194.32.33.1)
8. Site.ru A
194.32.33.1
9. GET
http://site.ru
HTTP/1.1
Host: site.ru
10. 200 Ok…
Ns1.site.ru
6. Site.ru A ?
1. Site.ru A ?
7. Site.ru TTL A
194.32.33.1
User
RU-CENTER - www.nic.ru
5
Reverse proxy using
DNS server
2. Site.ru A
194.32.33.x
HTTP – reverse
- proxy сервер
194.32.33.1
194.32.33.2
194.32.33.3
…
3. GET
http://site.ru
HTTP/1.1
Host: site.ru
Source
server
1. Site.ru A ?
4. 200 Ok…
User
RU-CENTER - центр регистрации доменов
www.nic.ru
6
Reverse proxy using &
botnets
It is a small TTL
Cache
DNS -server
that permits fast
A records
changing
2. Site.ru A
194.32.33.x
120.33.10.y
140.120.12.z
…
1. Site.ru A ?
Botnet
HTTP – reverse
- proxy сервер
194.32.33.x
120.33.10.y
140.120.12.z
…
3. GET
http://site.ru
HTTP/1.1
Host: site.ru
4. 200 Ok…
Hidden
content
server
A set of the
hosts routed
throw varied
AS
Users
RU-CENTER - центр регистрации доменов
www.nic.ru
7
Fast-flux “fingerprints”
 multiple IPs per NS spanning multiple ASNs,
 frequent NS changes,
 in-addrs.arpa or IPs lying within consumer broadband
allocation blocks,
 domain name age,
 poor quality WHOIS,
 determination that the nginx proxy is running on the
addressed machine: nginx is commonly used to
hide/proxy illegal web servers,
 the domain name is one of possibly many domain names
under the name of a registrant whose domain
administration account has been compromised, and the
attacker has altered domain name information without
authorization.
RU-CENTER - центр регистрации доменов
www.nic.ru
8
Our research: method
 Select all distinct domain names from the log
of the DNS-server. It`d be better to take log of
an authoritative server of the zone.
 Test this list against DNS to obtain TTL & IPaddress for each domain name few times
(100 times for example).
 Focus on the names with TTL < 1000 &
multiple Ips
 Take away from the list Google, Yandex, …
Then…
RU-CENTER - центр регистрации доменов
www.nic.ru
12
Our research: method
 We received Geography and AS distribution
for each domain from the list.
 We received intersection with the providers
access pools for each Domain.
It is high probability that “fast-flux”
domain has Geographic distribution & AS
distribution of its IPs set and belongs to
the provider`s access pool.
RU-CENTER - центр регистрации доменов
www.nic.ru
13
Our research: results
Summary results:
Description
Number of the domains with TTL < 1000 & multiple IPs
Value
1633
Number of the second level domains with TTL < 1000 & multiple IPs
522
Number of the nnn.ru domains with TTL < 1000 & multiple IPs
312
Number of the domain names pointing to the end user access pools
including:
- Geographic Distribution
- AS Distribution
RU-CENTER - www.nic.ru
1287
398
743
14
Our research: results
Top-5 domains:
Domain
ns6.b6f.ru
Queries
2352598
Ns1.ut9.ru (Zimbra server)
246873
ns2.Ew0.ru (Zimbra server)
244035
NS3.wAntdrOOl.ru
117990
Ns1.wEbshopmAG.ru
96833
Another tipical name: wnacsspa1j4i.odnoklassniki.x8m.ru.
RU-CENTER - www.nic.ru
15
Our research: results
Top-5 Countries:
Country
Domains
Germany
350
France
349
Poland
40
Netherland
34
Taiwan
32
RU-CENTER - www.nic.ru
16
Our research: results
Russian AS names & end user access pools:
AS name
AGAVA
Domains
347
Unknown
1
INAR-VOLOGDA-AS
1
RINET-AS
1
RU-CENTER - www.nic.ru
17
Our research: results
Registrars & end user access pools:
Russian registrar (dif.Regions)
NAUNET-REG-RIPN
Domains
98
REGRU-REG-RIPN
102
REGTIME-REG-RIPN
183
RIPN-REG-RIPN
RU-CENTER - www.nic.ru
1
18
Conclusions
1. TTL & multiple IPs are enough for crude
estimation
2. Domain names IPs & und user access pool
intersection gives us more precious detection
3. Geographic & AS improve detection
RU-CENTER - www.nic.ru
19
Вопросы?
RU-CENTER - www.nic.ru
20
Related documents
ASNIC Student Ambassador Application
ASNIC Student Ambassador Application
Slide 1 - Karnataka Drugs Logistics & Warehousing Society
Slide 1 - Karnataka Drugs Logistics & Warehousing Society
preparing for rid certification testing - NIC-Test-Prep-at
preparing for rid certification testing - NIC-Test-Prep-at
or click here - North Idaho College
or click here - North Idaho College
Research and innovation company “Vicdog” Ltd.
Research and innovation company “Vicdog” Ltd.
FORM 21
FORM 21
Version x - BMI Healthcare Jobs
Version x - BMI Healthcare Jobs
Math/Science - North Island College
Math/Science - North Island College
Download
advertisement