1 / 17

« FAST-FLUX problem & domains registrars » Pavel Khramtsov ( paul@nic.ru) Slovenia -200 9

The centre of registration of domains. « FAST-FLUX problem & domains registrars » Pavel Khramtsov ( paul@nic.ru) Slovenia -200 9. DNS – the most popular themes (threads). Spoofing – DNS server`s answer substitution ( solution – DNSSEC ) .

tan
Download Presentation

« FAST-FLUX problem & domains registrars » Pavel Khramtsov ( paul@nic.ru) Slovenia -200 9

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The centre of registration of domains «FAST-FLUX problem & domains registrars» Pavel Khramtsov (paul@nic.ru) Slovenia-2009

  2. DNS – the most popular themes (threads) • Spoofing – DNS server`s answer substitution (solution – DNSSEC). • Confiker– botnet creator (solution – preventive bulk registration) • Fast-flux – dynamic change of the address resource record – name/address link(solution – UNKNOUN!!!).

  3. Fast-Flux: term definition • “Fast flux” refers to rapid and repeated changes to an Internet host (A) and/or name server (NS) resource record in a DNS zone, which have the effect of rapidly changing the location (IP address) to which the domain name of an A or NS resolves. • Fast flux attack networks are robust, resource obfuscating service delivery infrastructures. Such infrastructures make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them.

  4. DNS - server HTTP – server (194.32.33.1) 3. GET http://site.ru HTTP/1.1 Host: site.ru 2. Site.ru A 194.32.33.1 4. 200 Ok… 1. Site.ru A ? User DNS & Web

  5. HTTP – server (194.32.33.1) Cache DNS - server 9. GET http://site.ru HTTP/1.1 Host: site.ru 8. Site.ru A 194.32.33.1 10. 200 Ok… 1. Site.ru A ? User DNS & Web in detail ROOT 3. .ru NS ns2.ripn.net 2. Site.ru A ? Ns2.ripn.net 4. Site.ru A ? 5. .site.ru NS n1.site.ru Ns1.site.ru 6. Site.ru A ? 7. Site.ru TTL A 194.32.33.1

  6. DNS -server HTTP – reverse - proxy - сервер 194.32.33.1 194.32.33.2 194.32.33.3 … 3. GET http://site.ru HTTP/1.1 Host: site.ru 2. Site.ru A 194.32.33.x 1. Site.ru A ? 4. 200 Ok… User Reverse proxy using Source server

  7. Cache DNS -server HTTP – reverse - proxy - сервер 194.32.33.x 120.33.10.y 140.120.12.z … 3. GET http://site.ru HTTP/1.1 Host: site.ru 2. Site.ru A 194.32.33.x 120.33.10.y 140.120.12.z … 1. Site.ru A ? 4. 200 Ok… Users Reverse proxy using & botnets It is a small TTL that permits fast A records changing Botnet Hidden content server A set of the hosts routed throw varied AS

  8. Fast-flux “fingerprints” • multiple IPs per NS spanning multiple ASNs, • frequent NS changes, • in-addrs.arpa or IPs lying within consumer broadband allocation blocks, • domain name age, • poor quality WHOIS, • determination that the nginx proxy is running on the addressed machine: nginx is commonly used to hide/proxy illegal web servers, • the domain name is one of possibly many domain names under the name of a registrant whose domain administration account has been compromised, and the attacker has altered domain name information without authorization.

  9. Our research: method • Select all distinct domain names from the log of the DNS-server. It`d be better to take log of an authoritative server of the zone. • Test this list against DNS to obtain TTL & IP-address for each domain name few times (100 times for example). • Focus on the names with TTL < 1000 & multiple Ips • Take away from the list Google, Yandex, … Then…

  10. Our research: method • We received Geography and AS distribution for each domain from the list. • We received intersection with the providers access pools for each Domain. It is high probability that “fast-flux” domain has Geographic distribution & AS distribution of its IPs set and belongs to the provider`s access pool.

  11. Our research: results Summary results:

  12. Our research: results Top-5 domains: Another tipical name: wnacsspa1j4i.odnoklassniki.x8m.ru.

  13. Our research: results Top-5 Countries:

  14. Our research: results Russian AS names & end user access pools:

  15. Our research: results Registrars & end user access pools:

  16. Conclusions • TTL & multiple IPs are enough for crude estimation • Domain names IPs & und user access pool intersection gives us more precious detection • Geographic & AS improve detection

  17. Вопросы?

More Related