SlideShare a Scribd company logo

Role of DNS in Botnet Command and Control

OpenDNS
OpenDNS

See how botnets ha

Technology
1 of 24
Download to read offline
OpenDNS Security Talk The Role of DNS in Botnet Command & Control (C&C) Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
Topics DNS REFRESHER.
Domain Name System Refresher
How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
Role of DNS in Internet Threats (including Botnet C&C)
IRC, P2P and 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers. DATA THEFT
Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 Must Shutdown or Block All… •  Content Servers. •  Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 4.4.4.4 = 4.4.4.5 = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5) DNS TUNNELING An Infected Device TXT records. •  Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
Role of DNS in Internet-Wide Security
Visualize Threats & Characterize Patterns in Big Data
Visualizing One Day’s Worth of Blocked Malware, Botnet, or Phishing Domain Requests
What’s Next for DNS-based Security? •  More domain names to track. »  Internet still exponentially growing. »  ICANN received 2000+ applications for new TLDs (Top-Level Domains). •  Bigger and more complex DNS packets. »  DNS tunneling by botnets. »  DKIM (DomainKeys Identified Mail). »  AAAA records for IPv6 addresses. •  More DNS traffic. »  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. »  Browsers predictively pre-caching DNS requests.
Thank You for Attending! Continue the discussion: Email: david@opendns.com Twitter: @davidu

Recommended

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AAKASH S
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Anonymous Network
Anonymous NetworkAnonymous Network
Anonymous Networkpauldeng
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 

Recommended

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AAKASH S
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Anonymous Network
Anonymous NetworkAnonymous Network
Anonymous Networkpauldeng
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Tcp udp
Tcp udpTcp udp
Tcp udpProgrammer
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...CiNPA Security SIG
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerOpenDNS
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampAlexander Benoit
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2Kabul Education University
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityCheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Bo2004
Bo2004Bo2004
Bo2004Dan Kaminsky
 

More Related Content

Viewers also liked

Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...CiNPA Security SIG
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerOpenDNS
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampAlexander Benoit
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityCheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 

Viewers also liked (20)

Tcp udp
Tcp udpTcp udp
Tcp udp
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishing
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic Worker
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-Camp
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Os
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) Overview
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You Safe
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 

Similar to Role of DNS in Botnet Command and Control

Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technologySensePost
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Cloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryCloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryVeset
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The InternetCarl J. Levine
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptxMarioCruz664886
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 

Similar to Role of DNS in Botnet Command and Control (20)

Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)
 
Bo2004
Bo2004Bo2004
Bo2004
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Applied VoIP Security
Applied VoIP Security Applied VoIP Security
Applied VoIP Security
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technology
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
DDOS (1).ppt
DDOS (1).pptDDOS (1).ppt
DDOS (1).ppt
 
Cloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryCloud TV playout for disaster recovery
Cloud TV playout for disaster recovery
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The Internet
 
DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Role of DNS in Botnet Command and Control

  • 1. OpenDNS Security Talk The Role of DNS in Botnet Command & Control (C&C) Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
  • 2. Topics DNS REFRESHER.
  • 3. Domain Name System Refresher
  • 4. How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
  • 5. So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
  • 6.
  • 7. Role of DNS in Internet Threats (including Botnet C&C)
  • 8. IRC, P2P and 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers. DATA THEFT
  • 9. Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 Must Shutdown or Block All… •  Content Servers. •  Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 4.4.4.4 = 4.4.4.5 = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
  • 10. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
  • 11. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
  • 12. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
  • 13. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
  • 14. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
  • 15. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
  • 16. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5) DNS TUNNELING An Infected Device TXT records. •  Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
  • 17. If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
  • 18. Role of DNS in Internet-Wide Security
  • 19.
  • 20. Visualize Threats & Characterize Patterns in Big Data
  • 22.
  • 23. What’s Next for DNS-based Security? •  More domain names to track. »  Internet still exponentially growing. »  ICANN received 2000+ applications for new TLDs (Top-Level Domains). •  Bigger and more complex DNS packets. »  DNS tunneling by botnets. »  DKIM (DomainKeys Identified Mail). »  AAAA records for IPv6 addresses. •  More DNS traffic. »  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. »  Browsers predictively pre-caching DNS requests.
  • 24. Thank You for Attending! Continue the discussion: Email: david@opendns.com Twitter: @davidu