Unleash Your Potential - Namagunga Girls Coding Club
Role of DNS in Botnet Command and Control
1. OpenDNS Security Talk
The Role of DNS in Botnet Command & Control (C&C)
Please Watch the Recording via the Link Posted in
the Comment Section Below for Context!
4. How It Works?
STUB RECURSIVE AUTHORITATIVE
CLIENTS NAME SERVERS NAME SERVERS
root
tld
domain.tld
5. So It’s a Protocol? Or a Database? No, It’s Both!
REQUEST DISTRIBUTED
PROTOCOL
DATABASE
QUERY
RESOURCE
domain name
RECORDS
RESPONSE
e.g. domain name
= IP address
e.g. IP address
ANY DEVICE RECURSIVE & AUTHORIATIVE
ANY APPLICATION NAME SERVERS
6.
7. Role of DNS in
Internet Threats
(including Botnet C&C)
8. IRC, P2P
and 100s more
Infected
device
“phones
home”.
Without user
interaction,
confidential
data leaked to
p2p.botnet.cn.
Hacker collects
data via botnet
controller
or bot peers.
DATA THEFT
9. Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses
IP FLUX via DNS RECORDS DOMAIN FLUX via DGA
SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE
paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com
= 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3
paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com
= 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3
paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com
= 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3
Must Shutdown or
Block All…
• Content Servers.
• Name Servers.
ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records.
= 4.4.4.4 = 4.4.4.5 = 4.4.4.6
DOUBLE IP FLUX via DNS RECORDS
SAME NAME SERVER, DIFFERENT RESPONSES
12. Hackers Add Stealth via DNS Tunneling
to Thwart Firewalls & Proxies
(build 1)
An Infected Device
within On-Premises
Network is Just
One Vector
ISP
PROXY
PROXY
FIREWALL
13. Hackers Add Stealth via DNS Tunneling
to Thwart Firewalls & Proxies
(build 2)
An Infected Device
within On-Premises
Network is Just
One Vector
ISP
PROXY
where is
11010.
where is
cnc.tld?
00110.where is PROXY
cnc.tld?
01010.
cnc.tld?
FIREWALL
14. Hackers Add Stealth via DNS Tunneling
to Thwart Firewalls & Proxies
(build 3)
where is
An Infected Device 11010.
where is
within On-Premises cnc.tld?
00110.where is
cnc.tld?
Network is Just 01010.
cnc.tld?
One Vector
ISP
PROXY
PROXY
FIREWALL
15. Hackers Add Stealth via DNS Tunneling
to Thwart Firewalls & Proxies
(build 4)
An Infected Device 11010.
cnc.tld is
11010.
within On-Premises cnc.tld is11010.
at 01110
at 11100 cnc.tld is
Network is Just at 11011
One Vector
ISP
PROXY
PROXY
FIREWALL
16. Hackers Add Stealth via DNS Tunneling
to Thwart Firewalls & Proxies
(build 5)
DNS TUNNELING
An Infected Device TXT records.
• Bi-directional ~110kbps using
within On-Premises
1998 -- Concept published.
Network is community discussed.
Just
2004 -- Security
One--Vectorcommunity created exploit.
2008 Security
2011 -- 1st documented botnet to exploit it. ISP
PROXY
11010.
cnc.tld is
11010.
cnc.tld is11010.
at 01110
cnc.tld is
PROXY
at 11100
at 11011
FIREWALL
17. If Hackers Have Evolved,
So Should Your Defense-in-Depth Strategy!
PAST PRESENT
& FUTURE
Hackers seek Cybercriminals seek
fame & glory. fortune & politics.
Malware disrupts Botnets penetrate
your business. your networks.
And roaming & mobile
devices enter your networks.
Your highest costs are Your highest costs are
lost productivity leaked data &
& IT remediation time. legal audit fees.
After detection, After preventing as much
you attempt to as reasonable since 100%
prevent 100%. is no longer realizable,
There’s a lot of you contain the rest.
vectors, so a lot
of solutions.
23. What’s Next for DNS-based Security?
• More domain names to track.
» Internet still exponentially growing.
» ICANN received 2000+ applications for new TLDs (Top-Level Domains).
• Bigger and more complex DNS packets.
» DNS tunneling by botnets.
» DKIM (DomainKeys Identified Mail).
» AAAA records for IPv6 addresses.
• More DNS traffic.
» More persistent threats due to DIY (do-it-yourself) kits for cybercriminals.
» Browsers predictively pre-caching DNS requests.
24. Thank You for Attending!
Continue the discussion:
Email: david@opendns.com
Twitter: @davidu