« fast-flux problem & domains registrars » pavel khramtsov ( paul@nic.ru) slovenia -200 9
Post on 11-Jan-2016
35 Views
Preview:
DESCRIPTION
TRANSCRIPT
«FAST-FLUX problem&
domains registrars»
Pavel Khramtsov (paul@nic.ru)
Slovenia-2009
The centre of registration of domains
RU-CENTER - www.nic.ru 2
Spoofing – DNS server`s answer substitution (solution – DNSSEC).
Confiker – botnet creator (solution – preventive bulk registration)
Fast-flux – dynamic change of the address resource record – name/address link(solution – UNKNOUN!!!).
DNS – the most popular themes (threads)
RU-CENTER - www.nic.ru 3
Fast-Flux: term definition
“Fast flux” refers to rapid and repeated changes to an Internet host (A) and/or name server (NS) resource record in a DNS zone, which have the effect of rapidly changing the location (IP address) to which the domain name of an A or NS resolves.
Fast flux attack networks are robust, resource obfuscating service delivery infrastructures. Such infrastructures make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them.
RU-CENTER - www.nic.ru 4
DNS - server
1. Site.ru A ?
2. Site.ru A 194.32.33.1
HTTP – server(194.32.33.1)
User
3. GET http://site.ru HTTP/1.1Host: site.ru
4. 200 Ok…
DNS & Web
RU-CENTER - www.nic.ru 5
CacheDNS - server
1. Site.ru A ?
8. Site.ru A 194.32.33.1
HTTP – server(194.32.33.1)
User
9. GET http://site.ru HTTP/1.1Host: site.ru
10. 200 Ok…
DNS & Web in detail
2. Site.ru A ?
3. .ru NS ns2.ripn.netROOT
4. Site.ru A ?
5. .site.ru NS n1.site.ru
Ns2.ripn.net
6. Site.ru A ?
7. Site.ru TTL A 194.32.33.1
Ns1.site.ru
RU-CENTER - центр регистрации доменов www.nic.ru
6
DNS -server
1. Site.ru A ?
2. Site.ru A 194.32.33.x
User
3. GET http://site.ru HTTP/1.1Host: site.ru
4. 200 Ok…
HTTP – reverse - proxy - сервер194.32.33.1194.32.33.2194.32.33.3…
Reverse proxy using
Source server
RU-CENTER - центр регистрации доменов www.nic.ru
7
CacheDNS -server
2. Site.ru A 194.32.33.x120.33.10.y140.120.12.z…
Users
3. GET http://site.ru HTTP/1.1Host: site.ru
4. 200 Ok…
HTTP – reverse - proxy - сервер194.32.33.x120.33.10.y140.120.12.z…
1. Site.ru A ?
Reverse proxy using & botnets
Hidden content server
Botnet
It is a small TTLthat permits fast A records changing
A set of the hosts routed throw varied AS
RU-CENTER - центр регистрации доменов www.nic.ru
8
multiple IPs per NS spanning multiple ASNs, frequent NS changes, in-addrs.arpa or IPs lying within consumer broadband
allocation blocks, domain name age, poor quality WHOIS, determination that the nginx proxy is running on the
addressed machine: nginx is commonly used to hide/proxy illegal web servers,
the domain name is one of possibly many domain names under the name of a registrant whose domain administration account has been compromised, and the attacker has altered domain name information without authorization.
Fast-flux “fingerprints”
RU-CENTER - центр регистрации доменов www.nic.ru
12
Select all distinct domain names from the log of the DNS-server. It`d be better to take log of an authoritative server of the zone.
Test this list against DNS to obtain TTL & IP-address for each domain name few times (100 times for example).
Focus on the names with TTL < 1000 & multiple Ips
Take away from the list Google, Yandex, …
Our research: method
Then…
RU-CENTER - центр регистрации доменов www.nic.ru
13
We received Geography and AS distribution for each domain from the list.
We received intersection with the providers access pools for each Domain.
Our research: method
It is high probability that “fast-flux” domain has Geographic distribution & AS distribution of its IPs set and belongs to the provider`s access pool.
It is high probability that “fast-flux” domain has Geographic distribution & AS distribution of its IPs set and belongs to the provider`s access pool.
RU-CENTER - www.nic.ru 14
Our research: results
Summary results:
Description Value
Number of the domains with TTL < 1000 & multiple IPs 1633
Number of the second level domains with TTL < 1000 & multiple IPs 522
Number of the nnn.ru domains with TTL < 1000 & multiple IPs 312
Number of the domain names pointing to the end user access pools including:
- Geographic Distribution- AS Distribution
1287
398743
RU-CENTER - www.nic.ru 15
Our research: results
Top-5 domains:
Domain Queries
ns6.b6f.ru 2352598
Ns1.ut9.ru (Zimbra server) 246873
ns2.Ew0.ru (Zimbra server) 244035
NS3.wAntdrOOl.ru 117990
Ns1.wEbshopmAG.ru 96833
Another tipical name: wnacsspa1j4i.odnoklassniki.x8m.ru.
RU-CENTER - www.nic.ru 16
Our research: results
Top-5 Countries:
Country Domains
Germany 350
France 349
Poland 40
Netherland 34
Taiwan 32
RU-CENTER - www.nic.ru 17
Our research: results
Russian AS names & end user access pools:
AS name Domains
AGAVA 347
Unknown 1
INAR-VOLOGDA-AS 1
RINET-AS 1
RU-CENTER - www.nic.ru 18
Our research: results
Registrars & end user access pools:
Russian registrar (dif.Regions) DomainsNAUNET-REG-RIPN 98 REGRU-REG-RIPN 102REGTIME-REG-RIPN 183RIPN-REG-RIPN 1
RU-CENTER - www.nic.ru 19
Conclusions
1.TTL & multiple IPs are enough for crude estimation
2.Domain names IPs & und user access pool intersection gives us more precious detection
3.Geographic & AS improve detection
RU-CENTER - www.nic.ru 20
Вопросы?
top related