Presentation is loading. Please wait.

Presentation is loading. Please wait.

«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains.

Published byEllen Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains."— Presentation transcript:

1 «FAST-FLUX problem & domains registrars» Pavel Khramtsov (paul@nic.ru) Slovenia-2009 The centre of registration of domains

2 RU-CENTER - www.nic.ru2  Spoofing – DNS server`s answer substitution (solution – DNSSEC).  Confiker – botnet creator (solution – preventive bulk registration)  Fast-flux – dynamic change of the address resource record – name/address link(solution – UNKNOUN!!!). DNS – the most popular themes (threads)

3 RU-CENTER - www.nic.ru3 Fast-Flux: term definition  “Fast flux” refers to rapid and repeated changes to an Internet host (A) and/or name server (NS) resource record in a DNS zone, which have the effect of rapidly changing the location (IP address) to which the domain name of an A or NS resolves.  Fast flux attack networks are robust, resource obfuscating service delivery infrastructures. Such infrastructures make it difficult for system administrators and law enforcement agents to shut down active scams and identify the criminals operating them.

4 RU-CENTER - www.nic.ru4 DNS - server 1. Site.ru A ? 2. Site.ru A 194.32.33.1 HTTP – server (194.32.33.1) User 3. GET http://site.ru HTTP/1.1http://site.ru Host: site.ru 4. 200 Ok… DNS & Web

5 RU-CENTER - www.nic.ru5 Cache DNS - server 1. Site.ru A ? 8. Site.ru A 194.32.33.1 HTTP – server (194.32.33.1) User 9. GET http://site.ru HTTP/1.1 http://site.ru Host: site.ru 10. 200 Ok… DNS & Web in detail 2. Site.ru A ? 3..ru NS ns2.ripn.net ROOT 4. Site.ru A ? 5..site.ru NS n1.site.ru Ns2.ripn.net 6. Site.ru A ? 7. Site.ru TTL A 194.32.33.1 Ns1.site.ru

6 RU-CENTER - центр регистрации доменов www.nic.ru 6 DNS - server 1. Site.ru A ? 2. Site.ru A 194.32.33.x User 3. GET http://site.ru HTTP/1.1 http://site.ru Host: site.ru 4. 200 Ok… HTTP – reverse - proxy - сервер 194.32.33.1 194.32.33.2 194.32.33.3 … Reverse proxy using Source server

7 RU-CENTER - центр регистрации доменов www.nic.ru 7 Cache DNS -server 2. Site.ru A 194.32.33.x 120.33.10.y 140.120.12.z … Users 3. GET http://site.ru HTTP/1.1 http://site.ru Host: site.ru 4. 200 Ok… HTTP – reverse - proxy - сервер 194.32.33.x 120.33.10.y 140.120.12.z … 1. Site.ru A ? Reverse proxy using & botnets Hidden content server Botnet It is a small TTL that permits fast A records changing A set of the hosts routed throw varied AS

8 RU-CENTER - центр регистрации доменов www.nic.ru 8  multiple IPs per NS spanning multiple ASNs,  frequent NS changes,  in-addrs.arpa or IPs lying within consumer broadband allocation blocks,  domain name age,  poor quality WHOIS,  determination that the nginx proxy is running on the addressed machine: nginx is commonly used to hide/proxy illegal web servers,  the domain name is one of possibly many domain names under the name of a registrant whose domain administration account has been compromised, and the attacker has altered domain name information without authorization. Fast-flux “fingerprints”

9 RU-CENTER - центр регистрации доменов www.nic.ru 9 Top-10 Botnet countries (http://dnsbl.abuse.ch/statistic/fastflux.php - 19/04/2009) RankCountry# of botsin % 1 Russian Federation27567 20% 2United States25641 18% 3Germany12726 9% 4Israel7608 5% 5Korea4665 3% 6Spain4330 3% 7United Kingdom3689 3% 8Italy3396 2% 9France3122 2% 10Romania2830 2% -other43224 31%

10 RU-CENTER - центр регистрации доменов www.nic.ru 10 Russian AS & bots (http://dnsbl.abuse.ch/statistic/fastflux.php - 19/04/2009) RankAS numberAS name# of bots 1 8402 CORBINA-AS Corbina Telecom 10'204 2 8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System 3'832 3 8615 CNT-AS CNT Autonomous System 3'429 4 12695 DINET-AS Digital Network JSC 936 5 42011 TRCODINTSOVO-AS TRC Odintsovo 909 6 12714 TI-AS NetByNet Holding 765 7 30784 ISKRATELECOM-AS Iskratelecom Autonomous System 622 8 25405 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod 525 9 6828 USI Uralsviazinform 390 10 42754 AROMA-LESK-AS Aroma Lesk Ltd. 352

11 RU-CENTER - центр регистрации доменов www.nic.ru 11 ccTLD & Bots RankZoneFast-fluxDomainsFast-flux domains per 10000 1.SU52688917,55 2.CN6393123646155,17 3.BZ14435003,22 4.COM16818781918812,15 5.RU15515351531,01 ( ICANN WG report 06.08.2009, Source: Arbor, 2008)

12 RU-CENTER - центр регистрации доменов www.nic.ru 12  Select all distinct domain names from the log of the DNS-server. It`d be better to take log of an authoritative server of the zone.  Test this list against DNS to obtain TTL & IP- address for each domain name few times (100 times for example).  Focus on the names with TTL < 1000 & multiple Ips  Take away from the list Google, Yandex, … Our research: method Then…

13 RU-CENTER - центр регистрации доменов www.nic.ru 13  We received Geography and AS distribution for each domain from the list.  We received intersection with the providers access pools for each Domain. Our research: method It is high probability that “fast-flux” domain has Geographic distribution & AS distribution of its IPs set and belongs to the provider`s access pool.

14 RU-CENTER - www.nic.ru14 Our research: results Summary results: DescriptionValue Number of the domains with TTL < 1000 & multiple IPs1633 Number of the second level domains with TTL < 1000 & multiple IPs522 Number of the nnn.ru domains with TTL < 1000 & multiple IPs312 Number of the domain names pointing to the end user access pools including: - Geographic Distribution - AS Distribution 1287 398 743

15 RU-CENTER - www.nic.ru15 Our research: results Top-5 domains: DomainQueries ns6.b6f.ru2352598 Ns1.ut9.ru (Zimbra server)246873 ns2.Ew0.ru (Zimbra server)244035 NS3.wAntdrOOl.ru117990 Ns1.wEbshopmAG.ru96833 Another tipical name: wnacsspa1j4i.odnoklassniki.x8m.ru.

16 RU-CENTER - www.nic.ru16 Our research: results Top-5 Countries: CountryDomains Germany350 France349 Poland40 Netherland34 Taiwan32

17 RU-CENTER - www.nic.ru17 Our research: results Russian AS names & end user access pools: AS nameDomains AGAVA 347 Unknown 1 INAR-VOLOGDA-AS 1 RINET-AS 1

18 RU-CENTER - www.nic.ru18 Our research: results Registrars & end user access pools: Russian registrar (dif.Regions)Domains NAUNET-REG-RIPN 98 REGRU-REG-RIPN 102 REGTIME-REG-RIPN 183 RIPN-REG-RIPN 1

19 RU-CENTER - www.nic.ru19 Conclusions 1.TTL & multiple IPs are enough for crude estimation 2.Domain names IPs & und user access pool intersection gives us more precious detection 3.Geographic & AS improve detection

20 RU-CENTER - www.nic.ru20 Вопросы?

Download ppt "«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains."

Similar presentations

Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.

Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Describe four (4) services that are part of the TCP/IP protocol suite that would probably be implemented within a network centre to manage: naming within.

Describe four (4) services that are part of the TCP/IP protocol suite that would probably be implemented within a network centre to manage: naming within.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
20101 The Application Layer Domain Name System Chapter 7.

20101 The Application Layer Domain Name System Chapter 7.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Application Layer At long last we can ask the question - how does the user interface with the network?

Application Layer At long last we can ask the question - how does the user interface with the network?
IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.

IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

Similar presentations

Ads by Google