SlideShare a Scribd company logo
1 of 31
Download to read offline
©2016 CyberSyndicates
FINDING
EVIL IN DNS
TRAFFIC
©2016 CyberSyndicates
WHO AM I?
Keelyn Roberts
BACKGROUND:
 (10 Years) CyberSecurity & IT Security
RECENT PROJECTS:
 Created Mercenary-Linux(Daniel West (PM))
 Created (MHF) MercenaryHuntFramework (Daniel West(PM))
How To Find Me:
 @real_slacker007
 Github.com/slacker007
 HuntTools.org
 CyberSyndicates.com
©2016 CyberSyndicates
AGENDA
Motivation
Brief DNS Overview
Types of Malware
Malware IOC’s
Detection Methods
Key Takeaways
Questions
©2016 CyberSyndicates
WHY DNS?
©2016 CyberSyndicates
OVERVIEW
User
Local Recursive Server
User browses to www.hunttools.org
Recursive server checks
its cache, then reaches
out to root servers and
provides the answer Root
.orgTLD Root
Authoritative
The authoritative server tells the recursive server
the IP address for www.hunttools.org
The .orgTLD root tells the recursive server to
ask the authoritative server for hunttools.org
Root server tells the recursive server to ask
the .orgTLD root
Info provided by “DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
DNS VULNERABILITIES
INFRASTRUCTURE PROTOCOL
Buffer Overflows
Race Conditions
Misconfigurations
Zone Transfers
Anycasting
Recursion
Caching
©2016 CyberSyndicates
INFRASTRUCTURE
OS (Windows, Unix, BSD, Linux)
 DNS Software ( Microsoft DNS, BIND)
oBuffer Overflows (CVE-2015-6125, CVE-2008-0122)
o Race Conditions (CVE-2015-8461)
o Misconfigured Permissions
 Other nested services (FTP, SMB/CIFS)
“DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
PROTOCOL
“DNS Security” 2016 Elsevier Inc.
DNS Cache Poisoning
Bolware
Dridex
DNS Spoofing
Win32.QHOST
(modern variants)
DNSChanger (old &
new)
Data Exfil Channel
DNS Beacons
C & C
DNSTrojan
DNS Beacons
Staging
DNS Beacons
DDoS Attacks
Low Orbit Ion Cannon
(LOIC)
VULNERABILITIES
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
Recursive Servers
 Delay Fast Packets (DFP)
o Bailiwick rule
o Birthday Paradox
o SPEED
o QUANTITY
o ANOMOLY
Local DNS Cache
 OS maintained local cache
 Web browser cache
o Boleware (Brazil 2015)
o Dridex (United Kingdom)
o DNS-Changer (US 2016)
©2016 CyberSyndicates
CACHE POISONING
“DNS Security” 2016 Elsevier Inc.
00:22:50.599361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 317)
192.168.1.254.53 > 192.168.1.85 16020: [udp sum ok] 52318 q: A? csi.gstatic.com. 16/0/0
csi.gstatic.com. [3m26s] A 216.58.217.227, csi.gstatic.com. [3m26s] A 216.58.193.131,
csi.gstatic.com. [3m26s] A 216.58.212.227, csi.gstatic.com. [3m26s] A 216.58.218.3,
csi.gstatic.com. [3m26s] A 216.58.201.195, csi.gstatic.com. [3m26s] A 172.217.1.131,
csi.gstatic.com. [3m26s] A 216.58.209.99, csi.gstatic.com. [3m26s] A 216.58.212.131,
csi.gstatic.com. [3m26s] A 172.217.17.227, csi.gstatic.com. [3m26s] A 216.58.212.195,
csi.gstatic.com. [3m26s] A 172.217.18.131, csi.gstatic.com. [3m26s] A 216.58.212.163,
csi.gstatic.com. [3m26s] A 216.58.209.131, csi.gstatic.com. [3m26s] A 172.217.22.163 (289)
IP SRC PORT TRANS ID
TRACKING DNS COMMUNICATIONS
©2016 CyberSyndicates
DNS AMPLIFICATION
©2016 CyberSyndicates
DNS AMPLIFICATION
Spoofed Source address
Open DNS Servers
 TTL
ANY (*)
Quantity
o nodes
o volume of queries
o queries vs. responses
ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.hunttools.org; count=1 ; qtype=A ; ttl=234
ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.hunttools.org ; count=1 ; qtype=A ; ttl=247
INDICATORS
©2016 CyberSyndicates
DNS AMPLIFICATION
©2016 CyberSyndicates
DNS AMPLIFICATION
05:45:38.621599 IP (tos 0x0, ttl 64, id 56784, offset 0, flags [none], proto UDP (17), length 64)
10.0.49.16.45522 > 84.200.69.80.53: 27427+ [1au] ANY? ietf.org. ar: . OPT UDPsize=4096 (36)
0x0000: 0004 0001 0006 000c 2917 04df 300f 0800 ........)...0...
0x0010: 4500 0040 ddd0 0000 4011 51bd 0a00 3110 E..@....@.Q...1.
0x0020: 0808 0808 b1d2 0035 002c 4b5d 6b23 0120 .......5.,K]k#..
0x0030: 0001 0000 0000 0001 0369 7363 036f 7267 .........ietf.org
0x0040: 0000 ff00 0100 0029 1000 0000 0000 0000 .......)........
QUERY
©2016 CyberSyndicates
DNS AMPLIFICATION
global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER
SECTION: isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600 isc.org. 4084 IN A 149.20.64.42 isc.org. 4084 IN MX 10 mx.pao1.isc.org. isc.org. 4084 IN MX 10 mx.ams1.isc.org. isc.org. 4084 IN TXT
"v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $" isc.org. 4084 IN AAAA 2001:4f8:0:2::d isc.org. 4084 IN NAPTR
20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 4084 IN DNSKEY 256 3 5
BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0=
isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+
u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL
KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 484 IN RRSIG NS 5
2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX
UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco= isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac
XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk= isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org.
VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw= isc.org. 484 IN
RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9
k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA= isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9
/rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4= isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org.
ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4= isc.org.
484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr
Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org.
i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A= isc.org.
484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH
qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N
ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA== isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org.
IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak= isc.org. 484 IN
RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1
hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E= isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;;
AUTHORITY SECTION: isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: mx.ams1.isc.org. 484 IN A
199.6.1.65 mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 484 IN A 149.20.64.53 mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b _sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org. ;; Query time: 176 msec ;;SERVER:
x.x.x.x#53(x.x.x.x) ;; WHEN: Tue Oct 30 01:14:32 2012 ;; MSG SIZE rcvd: 3223
RESPONSE
©2016 CyberSyndicates
DNS BEACONS
©2016 CyberSyndicates
DNS BEACONS
 DNS Beacon (Cobalt Strike)
 DNSTrojan
 RAT
 C2 || Exfil
 Staged vs. Inline
 Last Resort
 Stealthy
 Throttle / Jitter
 IOC’s
 Incremental Changes
Size of packet (udp vs. tcp)
 # of packets sent
 # of queries vs. responses
 sequentially numbered subdomains
 Key Info
©2016 CyberSyndicates
DNS BEACONS
KEY ATTRIBUTES
©2016 CyberSyndicates
DNS BEACONS
WHERE & WHY
©2016 CyberSyndicates
DNS BEACONS
cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com.
cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com.
Security Onion (IDS)
4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
McAfee (Global Threat Intelligence)
LEGITIMATE
©2016 CyberSyndicates
DNS BEACONS
8.8.8.8 TXT aaa.stage.4777649.dns.jeffjumpsinthelake.xyz
8.8.8.8 TXT aab.stage.4777649.dns.jeffjumpsinthelake.xyz
8.8.8.8 TXT aac.stage.4777649.dns.jeffjumpsinthelake.xyz
192.168.1.90 TXT 255 PPPPPPIJIFJEPNPPPPIJIFKIPNPPPPIJIFMMPNPPPPIJIFNAPNPPPPIJIFPAPNPPPPIJIFMIJAAAAIDINPAPJCEA
PNPPPPOJHEAJAAAAAPLOMCIDOICAHEEIIDOIADHEDECLMGHECEEIEIHEBEIDOIADAPIFFGAJAAAAA
JLFPAPNPPPPOJELAJAAAAIDINPAPNPPPPAEOJDPAJAAAAIDINPAPNPPPPABOJDDAJAAAAIBINPAPNPPP
PIAAAAAAAOJ
192.168.1.90 TXT 255 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPDOPPPPPPDPDEDFDGD
HDIDJDKDLDMDNPPPPPPPOPPPPPPAAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCB
DBEBFBGBHBIBJPPPPPPPPPPPPBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOC
PDADBDCDDPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Staging Via DNS TXT
MALICIOUS
©2016 CyberSyndicates
DNS BEACONS
12645.dns.jeffjumpsinthelake.xyz
12645.dns.jeffjumpsinthelake.xyz
12645.dns.jeffjumpsinthelake.xyz 0.0.0.0
12645.dns.jeffjumpsinthelake.xyz 139.59.10.212
C2 Via DNS TXT
MALICIOUS
©2016 CyberSyndicates
DNS BEACONS
MALICIOUS
C2 Via DNS A
©2016 CyberSyndicates
DNS BEACONS
DETECTING BEACONS USING DNSHUNTER
©2016 CyberSyndicates
DEMOS
©2016 CyberSyndicates
DNS A RECORDS WITH
DNSHUNTER
©2016 CyberSyndicates
VISUALIZING DNS
TRAFFIC WITH VDNS
©2016 CyberSyndicates
ANALYZING DNS RECORDS
WITH DNSHUNTER
©2016 CyberSyndicates
MAJOR TAKEAWAYS
Understand YOUR DNS traffic
Perform ACTIVE Monitoring of your DNS Traffic
Conduct Regular Penetration Testing!!!!!
©2016 CyberSyndicates
SOURCES
https://www.isc.org/community/rfcs/dns/ (list all RFC’s by Title)
“DNS Security”, (Allan Liska & Geoffrey Stowe)
http://secdev.org/projects/scapy/doc/usage/html (Scapy examples)
http://www.dcwg.org/ (DNS-Changer)
http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/ (DNS-Changer)
RFC 1034, 1035 (DNS)
RFC 3833(DNS Threat Analysis)
RFC 5358(prevent recursive NS in reflection attacks)
RFC 6672(name redirectors)

More Related Content

What's hot

Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsDebug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsVipin Varghese
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiJian-Hong Pan
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
LISA17 Container Performance Analysis
LISA17 Container Performance AnalysisLISA17 Container Performance Analysis
LISA17 Container Performance AnalysisBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXNGINX, Inc.
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Prometheus on NKS
Prometheus on NKSPrometheus on NKS
Prometheus on NKSJo Hoon
 
OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerNetronome
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded buildsMender.io
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation TutorialAPNIC
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 

What's hot (20)

Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsDebug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpoints
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
LISA17 Container Performance Analysis
LISA17 Container Performance AnalysisLISA17 Container Performance Analysis
LISA17 Container Performance Analysis
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Prometheus on NKS
Prometheus on NKSPrometheus on NKS
Prometheus on NKS
 
OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC Flower
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded builds
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
Suricata
SuricataSuricata
Suricata
 

Similar to Finding Evil In DNS Traffic

Deploying DNSSEC at Scale
Deploying DNSSEC at ScaleDeploying DNSSEC at Scale
Deploying DNSSEC at ScaleCaitlin Magat
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêterNetSecure Day
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance FuckupsNETFest
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるJUNICHI YOSHISE
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Ontico
 
An implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreeAn implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreePierre Lindenbaum
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupBadoo Development
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepOliver Fischer
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficJosiah Ritchie
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 
Code4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch PortalCode4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch Portaleby
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
 
001 network toi_basics_v1
001 network toi_basics_v1001 network toi_basics_v1
001 network toi_basics_v1Hisao Tsujimura
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 

Similar to Finding Evil In DNS Traffic (20)

Deploying DNSSEC at Scale
Deploying DNSSEC at ScaleDeploying DNSSEC at Scale
Deploying DNSSEC at Scale
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter#NSD15 - Attaques DDoS Internet et comment les arrêter
#NSD15 - Attaques DDoS Internet et comment les arrêter
 
Unix Monitoring Tools
Unix Monitoring ToolsUnix Monitoring Tools
Unix Monitoring Tools
 
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
.NET Fest 2019. Łukasz Pyrzyk. Daily Performance Fuckups
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみるK8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
K8s上の containerized cloud foundryとcontainerized open stackをprometheusで監視してみる
 
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
Как понять, что происходит на сервере? / Александр Крижановский (NatSys Lab.,...
 
An implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTreeAn implementation of Jan Aerts' LocusTree
An implementation of Jan Aerts' LocusTree
 
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang MeetupДоклад Антона Поварова "Go in Badoo" с Golang Meetup
Доклад Антона Поварова "Go in Badoo" с Golang Meetup
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grep
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Watching And Manipulating Your Network Traffic
Watching And Manipulating Your Network TrafficWatching And Manipulating Your Network Traffic
Watching And Manipulating Your Network Traffic
 
Restfs internals
Restfs internalsRestfs internals
Restfs internals
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래
 
Code4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch PortalCode4Lib 2007: MyResearch Portal
Code4Lib 2007: MyResearch Portal
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
001 network toi_basics_v1
001 network toi_basics_v1001 network toi_basics_v1
001 network toi_basics_v1
 
Performance Risk Management
Performance Risk ManagementPerformance Risk Management
Performance Risk Management
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
 

Recently uploaded

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 

Recently uploaded (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 

Finding Evil In DNS Traffic

  • 2. ©2016 CyberSyndicates WHO AM I? Keelyn Roberts BACKGROUND:  (10 Years) CyberSecurity & IT Security RECENT PROJECTS:  Created Mercenary-Linux(Daniel West (PM))  Created (MHF) MercenaryHuntFramework (Daniel West(PM)) How To Find Me:  @real_slacker007  Github.com/slacker007  HuntTools.org  CyberSyndicates.com
  • 3. ©2016 CyberSyndicates AGENDA Motivation Brief DNS Overview Types of Malware Malware IOC’s Detection Methods Key Takeaways Questions
  • 5. ©2016 CyberSyndicates OVERVIEW User Local Recursive Server User browses to www.hunttools.org Recursive server checks its cache, then reaches out to root servers and provides the answer Root .orgTLD Root Authoritative The authoritative server tells the recursive server the IP address for www.hunttools.org The .orgTLD root tells the recursive server to ask the authoritative server for hunttools.org Root server tells the recursive server to ask the .orgTLD root Info provided by “DNS Security” 2016 Elsevier Inc.
  • 6. ©2016 CyberSyndicates DNS VULNERABILITIES INFRASTRUCTURE PROTOCOL Buffer Overflows Race Conditions Misconfigurations Zone Transfers Anycasting Recursion Caching
  • 7. ©2016 CyberSyndicates INFRASTRUCTURE OS (Windows, Unix, BSD, Linux)  DNS Software ( Microsoft DNS, BIND) oBuffer Overflows (CVE-2015-6125, CVE-2008-0122) o Race Conditions (CVE-2015-8461) o Misconfigured Permissions  Other nested services (FTP, SMB/CIFS) “DNS Security” 2016 Elsevier Inc.
  • 8. ©2016 CyberSyndicates PROTOCOL “DNS Security” 2016 Elsevier Inc. DNS Cache Poisoning Bolware Dridex DNS Spoofing Win32.QHOST (modern variants) DNSChanger (old & new) Data Exfil Channel DNS Beacons C & C DNSTrojan DNS Beacons Staging DNS Beacons DDoS Attacks Low Orbit Ion Cannon (LOIC) VULNERABILITIES
  • 9. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc.
  • 10. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. Recursive Servers  Delay Fast Packets (DFP) o Bailiwick rule o Birthday Paradox o SPEED o QUANTITY o ANOMOLY Local DNS Cache  OS maintained local cache  Web browser cache o Boleware (Brazil 2015) o Dridex (United Kingdom) o DNS-Changer (US 2016)
  • 11. ©2016 CyberSyndicates CACHE POISONING “DNS Security” 2016 Elsevier Inc. 00:22:50.599361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 317) 192.168.1.254.53 > 192.168.1.85 16020: [udp sum ok] 52318 q: A? csi.gstatic.com. 16/0/0 csi.gstatic.com. [3m26s] A 216.58.217.227, csi.gstatic.com. [3m26s] A 216.58.193.131, csi.gstatic.com. [3m26s] A 216.58.212.227, csi.gstatic.com. [3m26s] A 216.58.218.3, csi.gstatic.com. [3m26s] A 216.58.201.195, csi.gstatic.com. [3m26s] A 172.217.1.131, csi.gstatic.com. [3m26s] A 216.58.209.99, csi.gstatic.com. [3m26s] A 216.58.212.131, csi.gstatic.com. [3m26s] A 172.217.17.227, csi.gstatic.com. [3m26s] A 216.58.212.195, csi.gstatic.com. [3m26s] A 172.217.18.131, csi.gstatic.com. [3m26s] A 216.58.212.163, csi.gstatic.com. [3m26s] A 216.58.209.131, csi.gstatic.com. [3m26s] A 172.217.22.163 (289) IP SRC PORT TRANS ID TRACKING DNS COMMUNICATIONS
  • 13. ©2016 CyberSyndicates DNS AMPLIFICATION Spoofed Source address Open DNS Servers  TTL ANY (*) Quantity o nodes o volume of queries o queries vs. responses ip=77.92.48.67 ; domain=bryaiqfvenakbsr.www.hunttools.org; count=1 ; qtype=A ; ttl=234 ip=77.92.48.67 ; domain=izeuvqnkcooofqx.www.hunttools.org ; count=1 ; qtype=A ; ttl=247 INDICATORS
  • 15. ©2016 CyberSyndicates DNS AMPLIFICATION 05:45:38.621599 IP (tos 0x0, ttl 64, id 56784, offset 0, flags [none], proto UDP (17), length 64) 10.0.49.16.45522 > 84.200.69.80.53: 27427+ [1au] ANY? ietf.org. ar: . OPT UDPsize=4096 (36) 0x0000: 0004 0001 0006 000c 2917 04df 300f 0800 ........)...0... 0x0010: 4500 0040 ddd0 0000 4011 51bd 0a00 3110 E..@....@.Q...1. 0x0020: 0808 0808 b1d2 0035 002c 4b5d 6b23 0120 .......5.,K]k#.. 0x0030: 0001 0000 0000 0001 0369 7363 036f 7267 .........ietf.org 0x0040: 0000 ff00 0100 0029 1000 0000 0000 0000 .......)........ QUERY
  • 16. ©2016 CyberSyndicates DNS AMPLIFICATION global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 27, AUTHORITY: 4, ADDITIONAL: 5 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 4084 IN SOA ns-int.isc.org. hostmaster.isc.org. 2012102700 7200 3600 24796800 3600 isc.org. 4084 IN A 149.20.64.42 isc.org. 4084 IN MX 10 mx.pao1.isc.org. isc.org. 4084 IN MX 10 mx.ams1.isc.org. isc.org. 4084 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 4084 IN TXT "$Id: isc.org,v 1.1724 2012-10-23 00:36:09 bind Exp $" isc.org. 4084 IN AAAA 2001:4f8:0:2::d isc.org. 4084 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 484 IN NSEC _kerberos.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 4084 IN DNSKEY 256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= isc.org. 4084 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 4084 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 484 IN RRSIG NS 5 2 7200 20121125230752 20121026230752 4442 isc.org. oFeNy69Pn+/JnnltGPUZQnYzo1YGglMhS/SZKnlgyMbz+tT2r/2v+X1j AkUl9GRW9JAZU+x0oEj5oNAkRiQqK+D6DC+PGdM2/JHa0X41LnMIE2NX UHDAKMmbqk529fUy3MvA/ZwR9FXurcfYQ5fnpEEaawNS0bKxomw48dcp Aco= isc.org. 484 IN RRSIG SOA 5 2 7200 20121125230752 20121026230752 4442 isc.org. S+DLHzE/8WQbnSl70geMYoKvGlIuKARVlxmssce+MX6DO/J1xdK9xGac XCuAhRpTMKElKq2dIhKp8vnS2e+JTZLrGl4q/bnrrmhQ9eBS7IFmrQ6s 0cKEEyuijumOPlKCCN9QX7ds4siiTIrEOGhCaamEgRJqVxqCsg1dBUrR hKk= isc.org. 484 IN RRSIG MX 5 2 7200 20121125230752 20121026230752 4442 isc.org. VFqFWRPyulIT8VsIdXKMpMRJTYpdggoGgOjKJzKJs/6ZrxmbJtmAxgEu /rkwD6Q9JwsUCepNC74EYxzXFvDaNnKp/Qdmt2139h/xoZsw0JVA4Z+b zNQ3kNiDjdV6zl6ELtCVDqj3SiWDZhYB/CR9pNno1FAF2joIjYSwiwbS Lcw= isc.org. 484 IN RRSIG TXT 5 2 7200 20121125230752 20121026230752 4442 isc.org. Ojj8YCZf3jYL9eO8w4Tl9HjWKP3CKXQRFed8s9xeh5TR3KI3tQTKsSeI JRQaCXkADiRwHt0j7VaJ3xUHa5LCkzetcVgJNPmhovVa1w87Hz4DU6q9 k9bbshvbYtxOF8xny/FCiR5c6NVeLmvvu4xeOqSwIpoo2zvIEfFP9deR UhA= isc.org. 484 IN RRSIG AAAA 5 2 7200 20121125230752 20121026230752 4442 isc.org. hutAcro0NBMvKU/m+2lF8sgIYyIVWORTp/utIn8KsF1WOwwM2QMGa5C9 /rH/ZQBQgN46ZMmiEm4LxH6mtaKxMsBGZwgzUEdfsvVtr+fS5NUoA1rF wg92eBbInNdCvT0if8m1Sldx5/hSqKn8EAscKfg5BMQp5YDFsllsTauA 8Y4= isc.org. 484 IN RRSIG NAPTR 5 2 7200 20121125230752 20121026230752 4442 isc.org. ZD14qEHR7jVXn5uJUn6XR9Lvt5Pa7YTEW94hNAn9Lm3Tlnkg11AeZiOU 3woQ1pg+esCQepKCiBlplPLcag3LHlQ19OdACrHGUzzM+rnHY50Rn/H4 XQTqUWHBF2Cs0CvfqRxLvAl5AY6P2bb/iUQ6hV8Go0OFvmMEkJOnxPPw 5i4= isc.org. 484 IN RRSIG NSEC 5 2 3600 20121125230752 20121026230752 4442 isc.org. rY1hqZAryM045vv3bMY0wgJhxHJQofkXLeRLk20LaU1mVTyu7uair7jb MwDVCVhxF7gfRdgu8x7LPSvJKUl6sn731Y80CnGwszXBp6tVpgw6oOcr Pi0rsnzC6lIarXLwNBFmLZg2Aza6SSirzOPObnmK6PLQCdmaVAPrVJQs FHY= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 4442 isc.org. i0S2MFqvHB3wOhv2IPozE/IQABM/eDDCV2D7dJ3AuOwi1A3sbYQ29XUd BK82+mxxsET2U6hv64crpbGTNJP3OsMxNOAFA0QYphoMnt0jg3OYg+AC L2j92kx8ZdEhxKiE6pm+cFVBHLLLmXGKLDaVnffLv1GQIl5YrIyy4jiw h0A= isc.org. 484 IN RRSIG DNSKEY 5 2 7200 20121125230126 20121026230126 12892 isc.org. j1kgWw+wFFw01E2z2kXq+biTG1rrnG1XoP17pIOToZHElgpy7F6kEgyj fN6e2C+gvXxOAABQ+qr76o+P+ZUHrLUEI0ewtC3v4HziMEl0Z2/NE0MH qAEdmEemezKn9O1EAOC7gZ4nU5psmuYlqxcCkUDbW0qhLd+u/8+d6L1S nlrD/vEi4R1SLl2bD5VBtaxczOz+2BEQLveUt/UusS1qhYcFjdCYbHqF JGQziTJv9ssbEDHT7COc05gG+A1Av5tNN5ag7QHWa0VE+Ux0nH7JUy0N ch1kVecPbXJVHRF97CEH5wCDEgcFKAyyhaXXh02fqBGfON8R5mIcgO/F DRdXjA== isc.org. 484 IN RRSIG SPF 5 2 7200 20121125230752 20121026230752 4442 isc.org. IB/bo9HPjr6aZqPRkzf9bXyK8TpBFj3HNQloqhrguMSBfcMfmJqHxKyD ZoLKZkQk9kPeztau6hj2YnyBoTd0zIVJ5fVSqJPuNqxwm2h9HMs140r3 9HmbnkO7Fe+Lu5AD0s6+E9qayi3wOOwunBgUkkFsC8BjiiGrRKcY8GhC kak= isc.org. 484 IN RRSIG A 5 2 7200 20121125230752 20121026230752 4442 isc.org. ViS+qg95DibkkZ5kbL8vCBpRUqI2/M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD/YNXqyvjxyvmZfkQLDUmffjDB+ZGqBxSpG8j1fDwK6n1 hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp 8+E= isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; AUTHORITY SECTION: isc.org. 4084 IN NS ns.isc.afilias-nst.info. isc.org. 4084 IN NS ams.sns-pb.isc.org. isc.org. 4084 IN NS ord.sns-pb.isc.org. isc.org. 4084 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: mx.ams1.isc.org. 484 IN A 199.6.1.65 mx.ams1.isc.org. 484 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 484 IN A 149.20.64.53 mx.pao1.isc.org. 484 IN AAAA 2001:4f8:0:2::2b _sip._udp.isc.org. 4084 IN SRV 0 1 5060 asterisk.isc.org. ;; Query time: 176 msec ;;SERVER: x.x.x.x#53(x.x.x.x) ;; WHEN: Tue Oct 30 01:14:32 2012 ;; MSG SIZE rcvd: 3223 RESPONSE
  • 18. ©2016 CyberSyndicates DNS BEACONS  DNS Beacon (Cobalt Strike)  DNSTrojan  RAT  C2 || Exfil  Staged vs. Inline  Last Resort  Stealthy  Throttle / Jitter  IOC’s  Incremental Changes Size of packet (udp vs. tcp)  # of packets sent  # of queries vs. responses  sequentially numbered subdomains  Key Info
  • 21. ©2016 CyberSyndicates DNS BEACONS cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. cfc7b9dff5ce62a12e31457d974e5618.malware.hash.cymru.com. Security Onion (IDS) 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com McAfee (Global Threat Intelligence) LEGITIMATE
  • 22. ©2016 CyberSyndicates DNS BEACONS 8.8.8.8 TXT aaa.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aab.stage.4777649.dns.jeffjumpsinthelake.xyz 8.8.8.8 TXT aac.stage.4777649.dns.jeffjumpsinthelake.xyz 192.168.1.90 TXT 255 PPPPPPIJIFJEPNPPPPIJIFKIPNPPPPIJIFMMPNPPPPIJIFNAPNPPPPIJIFPAPNPPPPIJIFMIJAAAAIDINPAPJCEA PNPPPPOJHEAJAAAAAPLOMCIDOICAHEEIIDOIADHEDECLMGHECEEIEIHEBEIDOIADAPIFFGAJAAAAA JLFPAPNPPPPOJELAJAAAAIDINPAPNPPPPAEOJDPAJAAAAIDINPAPNPPPPABOJDDAJAAAAIBINPAPNPPP PIAAAAAAAOJ 192.168.1.90 TXT 255 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPDOPPPPPPDPDEDFDGD HDIDJDKDLDMDNPPPPPPPOPPPPPPAAABACADAEAFAGAHAIAJAKALAMANAOAPBABBBCB DBEBFBGBHBIBJPPPPPPPPPPPPBKBLBMBNBOBPCACBCCCDCECFCGCHCICJCKCLCMCNCOC PDADBDCDDPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Staging Via DNS TXT MALICIOUS
  • 27. ©2016 CyberSyndicates DNS A RECORDS WITH DNSHUNTER
  • 29. ©2016 CyberSyndicates ANALYZING DNS RECORDS WITH DNSHUNTER
  • 30. ©2016 CyberSyndicates MAJOR TAKEAWAYS Understand YOUR DNS traffic Perform ACTIVE Monitoring of your DNS Traffic Conduct Regular Penetration Testing!!!!!
  • 31. ©2016 CyberSyndicates SOURCES https://www.isc.org/community/rfcs/dns/ (list all RFC’s by Title) “DNS Security”, (Allan Liska & Geoffrey Stowe) http://secdev.org/projects/scapy/doc/usage/html (Scapy examples) http://www.dcwg.org/ (DNS-Changer) http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/ (DNS-Changer) RFC 1034, 1035 (DNS) RFC 3833(DNS Threat Analysis) RFC 5358(prevent recursive NS in reflection attacks) RFC 6672(name redirectors)

Editor's Notes

  1. ljsddfljsljdfljslkdjfsdlaf