Submit Search
Upload
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
•
4 likes
•
3,133 views
OpenDNS
Follow
OpenDNS Senior Security Researcher Dhia Mahjoub's presentation from SOURCE Boston 2014.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 68
Download now
Download to read offline
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
More Related Content
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
(14)
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Just the basics_strata_2013
Just the basics_strata_2013
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
More from OpenDNS
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Docker at OpenDNS
Docker at OpenDNS
OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
OpenDNS
Defcon
Defcon
OpenDNS
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
OpenDNS
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
OpenDNS
Cryptolocker Webcast
Cryptolocker Webcast
OpenDNS
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
More from OpenDNS
(20)
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
What Happens Before the Kill Chain
What Happens Before the Kill Chain
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
Docker at OpenDNS
Docker at OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
Defcon
Defcon
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
Cryptolocker Webcast
Cryptolocker Webcast
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
Recently uploaded
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Recently uploaded
(20)
Slack Application Development 101 Slides
Slack Application Development 101 Slides
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
1.
! Marauder or Scanning
your DNSDB for Fun and Profit Dhia!Mahjoub! OpenDNS! April!10th,!2014! Boston!
2.
Short!Bio! • Senior!Security!Researcher!at!OpenDNS! • PredicAve!threat!detecAon!based!on!DNS!traffic!and! hosAng!infrastructure!analysis! •
CS!PhD!graduate!from!Southern!Methodist!University! !!!!IIIIIII>!Go!Mustangs!! ! • Graph!Theory!applied!on!Wireless!Sensor!Networks! problems!(network!lifeAme,!rouAng)! • Enjoyed!wriAng!sniffers,!port!scanners!in!C…!
3.
Outline! • DNSDB! • Marauder! •
ImplementaAon! • ASN!graph! • Use$case$1:$Suspicious!Sibling!Leaf!ASNs!! • Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth! • Use$Case$3:!ASN(s)!abused!or!lax!about!content! • Marauder:!PlaZorm,!tools,!libraries!used! • Marauder!in!acAon! • Use$case$4:!Malicious!subIallocated!ranges! • Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure! • Conclusion!
4.
querylogs! authlogs! DNS$data$
5.
OpenDNS’!Network!Map!
6.
$ DNSDB$ $
7.
Passive!DNS! • Introduced!by!Florian!Weimar!in!2004! • Passive!DNS!builds!zone!replicas!without! cooperaAon!from!zone!administrators! •
Captures!messages!between!DNS!servers! • Messages!are!processed,!deIduplicated,!and!DNS! records!are!consolidated!in!an!indexed!database! !I>!Historical!DNS!database!(DNSDB)!
8.
Passive!DNS!(cont’d)! !Various!Services! 1. hbp://www.bd.de/bd_dnslogger_en.html! 2. DNSDB!(Farsight!Security)! hbps://www.dnsdb.info/! 3.
Umbrella!SGraph!(reIdubbed!InvesAgate)! hbps://sgraph.opendns.com/main! 4. VirusTotal!DNSDB! • hbps://github.com/gamelinux/passivedns! • hbps://github.com/chrislee35/passivednsIclient!
9.
Why!is!DNSDB!useful?! D! D! D! D! IP! IP! NS! IP! NS! +$TIME$ Domain! IP!address! Name!server!
10.
Streaming!AuthoritaAve!DNS! • Tap!into!processed!authoritaAve!DNS!stream!before! it’s!consolidated!into!a!persistent!DB! • asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type! •
Faster! • 100s!–!1000s!entries/sec!(from!subset!of!resolvers)! • Need!to!implement!your!own!filters,!detecAon! heurisAcs!
11.
$ Marauder$ $
12.
Marauder! • Maraud!(def):!To!rove!and!raid!in!search!for!plunder! • MarAn!BI26!Marauder! •
WW2!mediumIrange!bomber! • Pacific,!Mediterranean,!Western!Europe!theaters!
13.
Marauder! • Cruise!the!IP,!DNS!space!in!search!for!new!aback! domains,!IP!infrastructures!!
14.
ImplementaAon! 1. IP!watchlist!+!domain!filter(s)!+!more!post!detecAon! filter(s)! • IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to! build!malicious/suspicious!IP!lists! 2.
Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,! age,!traffic!volume!
15.
Building!the!IP!watchlist!! Mo<va<on! • Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs! from!a!new!perspecAve! • Look!beyond!the!simple!counAng!of!number!of!bad! domains,!bad!IPs!hosted!on!prefixes!of!an!ASN! How$?$ •
Look!at!topology!of!AS$graph$ • Look!at!smaller!granularity!than!BGP!prefix:!! !subGallocated$ranges$within!BGP!prefixes!
16.
AS!graph! • BGP!rouAng!tables! • Valuable!data!sources! •
Routeviews!hbp://archive.routeviews.org/bgpdata/! • CidrIreport!hbp://www.cidrIreport.org/as2.0/! • Hurricane!Electric!database!hbp://bgp.he.net/! • Your!own!rouAng!tables!if!you!operate!your!own! worldwide!BGP!routers! • 500,000+$BGP$prefixes$ • 46,000+$ASNs$
17.
AS!graph! • Route!Views!hbp://archive.routeviews.org/bgpdata/!
18.
AS!graph! • Cidr!Report!hbp://www.cidrIreport.org/as2.0/!
19.
AS!graph! • Hurricane!Electric!database!hbp://bgp.he.net/!
20.
AS!graph! • Show!one!line!of!the!BGP!rouAng!table! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! •
The!AS!graph!changes!constantly:! • New!prefixes!(with!their!routes)!are!announced! • Old!prefixes!are!dropped! • IntenAonal,!human!error,!hardware!faults,!or!malicious!
21.
AS!graph!
22.
AS!graph! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! • We!can!extract!two!types!of!useful!data:! !1.!Upstream!and!downstream!ASNs!of!every!ASN! !2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)! •
pyasn,!Python!IP!to!ASN!lookup!module!! !hbps://code.google.com/p/pyasn/! • Team!Cymru!IP!to!ASN!mapping! • GeoIPASNum.dat!from!maxmind! • curl!ipinfo.io/8.8.8.8/org!
23.
AS!graph! • Build!AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! •
TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24| 11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
24.
AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! Interes<ng$cases:$ • Leaf!ASNs!that!are!siblings,!i.e.!they!have!common! parents!in!the!AS!graph!(share!same!upstream!AS)! •
Cluster!the!leaves!by!country! • Find!interesAng!paberns:!certain!siblings!in!certain! countries!are!delivering!similar!suspicious!campaigns!
25.
$ Use$Case$1:$ Suspicious$Sibling$leaf$ASNs$ $
26.
Leaf!ASNs!and!their!upstreams! • January!8th!topology!snapshot,!Ukraine,!Russia! • 10!sibling!leaf!ASNs!with!2!upstream!ASNs! •
/23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX! • !TrojanIDownloader.Win32.Ldmon.A! • hbp://telussecuritylabs.com/threats/show/TSL20130715I08!
27.
Leaf!ASNs!and!their!upstreams!
28.
Leaf!ASNs!and!their!upstreams! • February!21st!topology!snapshot,!Ukraine,!Russia! ! • AS31500!detached!itself!from!the!leaves!(stopped! announcing!their!prefixes)! •
More!leaves!started!hosAng!suspicious!payload!domains! • 3100+!malware!domains!on!1020+!IPs!hosAng!malware!
29.
Leaf!ASNs!and!their!upstreams! • Taking!a!sample!of!160!live!IPs! • Server!setup!is!similar:! 50!IPs!with:! 22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$ protocol$2.0)$ 8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$ Service$Info:$OS:$FreeBSD$ ! 108!IPs!with:$ 22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$ 80/tcp$open$$h[p?$
30.
Leaf!ASNs!and!their!upstreams! • The!payload!url!were!live!on!the!enAre!range!of!IPs! before!any!domains!were!hosted!on!them! • So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance! •
hbp://pastebin.com/X83gkPY4! $
31.
$ Use$Case$2:$ ASN$abused$or$lax$about$shady$ content$ $
32.
33.
Example!ASNs!abused!or!lax! • Wordstream!hosAng!fake!merchandise,!Exploit!kit! domains,!XXX!themed!sites,!etc! • Resellers!using!IP!space!of!larger!providers! •
e.g.!IxamIhosAng!uses!Voxility! • Other!abused!ASNs!like!OVH,!LeaseWeb,!etc! • Ranking!of!ASNs:!sitevet.com! $
34.
$ Use$Case$3:$ Rogue$ASN$deGpeered$or$gone$ stealth$$ $
35.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy! Sergeevich!86400! • Serving!browlock,!porn,!radical!forums,!spam,!etc! •
“PE!Ivanov!Vitaliy!Sergeevich!malware”!
36.
Rogue!ASN!deIpeered!or!gone!stealth! Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!
37.
Rogue!ASN!deIpeered!or!gone!stealth!
38.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400! • 176.103.48.0/20!48031! •
193.169.86.0/23!48031! • 193.203.48.0/22!48031! • 193.30.244.0/22!48031! • 194.15.112.0/22!48031! • 196.47.100.0/24!48031! • 91.207.60.0/23!48031! • 91.213.8.0/24!48031! • 91.217.90.0/23!48031! • 91.226.212.0/23!48031! • 91.228.68.0/22!48031! • 93.170.48.0/22!48031! • 94.154.112.0/20!48031!
39.
Rogue!ASN!deIpeered!or!stealth!
40.
Rogue!ASN!deIpeered!or!stealth!
41.
$ Marauder:$Pla_orm,$tools,$ libraries$used$ $
42.
PlaZorm!and!tools!used! IHadoop!cluster! ! IRaw!logs!on!HDFS! ! IIndexed!DNSDB!in!HBase! ! IPython,!shell,!Gnu!Parallel! ! IStreaming,!zmq! !
43.
Python!libraries! • Happybase:!developerIfriendly!Python!library!to! interact!with!Apache!HBase! !hbp://happybase.readthedocs.org/en/latest/! !Column!I>!value! !Single!row:!domain,$<me,$type,$IP$G>$TTL$ • Search!DNSDB!by!IP,!name! •
Forward!lookup!for!domain!to!get!history!of!IPs,!TTL! • Inverse!lookup!for!IP!to!get!mapping!domain(s)!over! Ame!
44.
Python!libraries! • Happybase:!! import$happybase$ #protect$in$a$try$catch$ connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$ table$=$connec<on.table('authlogs')$ _domain$=$“google.com”$ for$key,$data$in$table.scan(row_prefix=_domain):$ $domain,<me,type,$ip$=$key.split(":")$ $ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$
45.
Python!libraries! • IPy:!Python!class!and!tools!for!handling!of!IPv4!and! IPv6!addresses!and!networks! !hbps://github.com/haypo/pythonIipy/wiki! !Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$ !from$IPy$import$IP$ $cidr$=$IP('127.0.0.0/30')$ $for$ip$in$cidr:$ $ $print$ip$
46.
Python!libraries! • PySubnetTree:!Python!data!structure!SubnetTree! which!maps!subnets!given!in!CIDR!notaAon!to! Python!objects.!! • Lookups!are!performed!by!longestIprefix!matching.! !hbp://www.bro.org/download/README.pysubnebree.html! !Use!it!to!map!IP!to!BGP!prefix!and/or!ASN! !! •
A!row!in!the!prefix!to!ASN!database!(file):! $1.22.232.0/24$45528$
47.
Python!libraries! • PySubnetTree:!! Load!pref_asn!db!then!do!lookups!on!IPs! import$SubnetTree$ pref_asn_db$=$SubnetTree.SubnetTree()$ f_pref_asn$=$open(“prefGasn",$'r')$ ….$ pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$ ip$=$“1.22.232.7”$ cidr$=$pref_asn_db[ip].split()[0]$
48.
Python!libraries! • PyASN:!Python!extension!module!(wriben!in!C)!that! allows!to!perform!very!fast!IP!to!ASN!lookups! !hbps://code.google.com/p/pyasn/! • pygeoip:$Map!IP!to!country!code! hbps://pypi.python.org/pypi/pygeoip! •
networkx:!Python!package!to!manipulate!graphs! !hbp://networkx.github.io/! !
49.
$ Marauder$in$ac<on$ $
50.
Marauder!in!acAon! • Input:!IP,!BGP!prefix,!or!ASN! • Use!DNSDB!(HBase)! •
Use!auth!DNS!stream! HBase:$ 1) !IP:!direct!lookup! 2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU! parallel!processes!or!threads)!to!query!HBase!for!every!IP! 3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>! process!every!prefix!like!in!2)!
51.
$ Use$Case$4:$ Malicious$subGallocated$ranges$ $
52.
Malicious!subIallocated!ranges! • Case!of!OVH! • SubIallocated!ranges!reserved!by!same!suspicious! customers,!serving!Nuclear!Exploit!kit!domains! •
Users!are!lead!to!the!Exploit!landing!sites!through! malverAsing!campaigns,!then!malware!is!dropped!on! vicAms’!machines!(e.g.!zbot)! • Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$
53.
Malicious!subIallocated!ranges! • For!several!months,!OVH!ranges!were!abused! • Notable!fact:!IPs!were!exclusively!used!for!hosAng! Nuclear!Exploit!subdomains,!no!other!sites!hosted! ! ! !
54.
Malicious!subIallocated!ranges!
55.
Malicious!subIallocated!ranges! • Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014! 192.95.50.208!I!192.95.50.215! 198.50.183.68!I!198.50.183.71! 192.95.42.112!I!192.95.42.127! 192.95.6.112!I!192.95.6.127! 192.95.10.208!I!192.95.10.223! 192.95.7.224!I!192.95.7.239! 192.95.43.160!I!192.95.43.175! 192.95.43.176!I!192.95.43.191! 198.50.131.0!I!198.50.131.15!
56.
Malicious!subIallocated!ranges! • Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng! provider!hbp://www.besthosAng.ua/! • 31.41.221.143!2014I02I14!2014I02I14!0! •
31.41.221.142!2014I02I12!2014I02I14!2! • 31.41.221.130!2014I02I12!2014I02I14!2! • 31.41.221.140!2014I02I12!2014I02I12!0! • 31.41.221.139!2014I02I12!2014I02I12!0! • 31.41.221.138!2014I02I11!2014I02I12!1! • 31.41.221.137!2014I02I10!2014I02I11!1! • 31.41.221.136!2014I02I10!2014I02I11!1! • 31.41.221.135!2014I02I10!2014I02I10!0! • 31.41.221.134!2014I02I09!2014I02I19!10! • 31.41.221.132!2014I02I08!2014I02I09!1! • 31.41.221.131!2014I02I07!2014I02I08!1!
57.
Malicious!subIallocated!ranges! • Feb!14th,!bad!actors!moved!to!a!Russian!hosAng! provider!hbp://pinspb.ru/! • 5.101.173.10!2014I02I21!2014I02I22!1! •
5.101.173.9!2014I02I19!2014I02I21!2! • 5.101.173.8!2014I02I19!2014I02I19!0! • 5.101.173.7!2014I02I18!2014I02I19!1! • 5.101.173.6!2014I02I18!2014I02I18!0! • 5.101.173.5!2014I02I17!2014I02I18!1! • 5.101.173.4!2014I02I17!2014I02I17!0! • 5.101.173.3!2014I02I16!2014I02I17!1! • 5.101.173.2!2014I02I15!2014I02I16!1! • 5.101.173.1!2014I02I14!2014I02I15!1!
58.
Malicious!subIallocated!ranges! • Feb!22nd,!bad!actors!moved!back!to!OVH! ! ! • Notable!fact:!They!change!MO,!IPs!have!been! allocated!and!used!in!the!past!for!other!content!I>! evasion!technique!or!resource!recycling! •
But!during!all!this!Ame,!bad!actors!sAll!kept!the! name!server!infrastructure!on!OVH!on!ranges! reserved!by!same!customers!
59.
Malicious!subIallocated!ranges! • 198.50.143.73$2013G11G25$2014G02G24$91$ • 198.50.143.69$2013G11G25$2014G02G24$91$ •
198.50.143.68$2013G11G25$2014G02G24$91$ • 198.50.143.67$2013G11G26$2014G02G24$90$ • 198.50.143.65$2013G11G24$2014G02G23$91$ • 198.50.143.66$2013G11G25$2014G02G23$90$ • 198.50.143.64!2013I11I24!2014I01I25!62! • 198.50.143.75!2013I12I03!2013I12I10!7! • 198.50.143.79!2013I11I25!2013I12I10!15! • 198.50.143.78!2013I11I25!2013I12I10!15! • 198.50.143.74!2013I11I25!2013I12I10!15! • 198.50.143.72!2013I11I25!2013I12I10!15! • 198.50.143.71!2013I11I25!2013I12I10!15! • 198.50.143.76!2013I11I25!2013I12I09!14! • 198.50.143.70!2013I11I26!2013I12I09!13! • 198.50.143.77!2013I11I26!2013I12I05!9!
60.
Malicious!subIallocated!ranges! • hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/! • hbp://pastebin.com/SX5R69vY! •
hbp://pastebin.com/KuxpNJwV!
61.
Abused!TLDs! • Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)! • .pw!for!a!while! •
Take!down!campaign!with!MalwareMustDie! • Moved!to!.ru!and!.in.net! • Then!back!to!.pw!
62.
$ Use$Case$5:$ Predic<ng$malicious$domains$IP$ infrastructure$ $
63.
Malicious!subIallocated!ranges!(Feb!2014)! • For!Nuclear,!In!addiAon!to!subIallocated!ranges! reserved!by!same!actors!(for!OVH!case)! • The!live!IPs!all!have!same!server!setup!(fingerprint):! •
31.41.221.131!to!31.41.221.143! 22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$ 111/tcp$open$$rpcbind$ • 5.101.173.1!to!5.101.173.10! 22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$ 111/tcp$open$$rpcbind$
64.
Malicious!subIallocated!ranges!(Feb!2014)! • 198.50.143.64!to!198.50.143.79! 22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$ 445/tcp$filtered$microsoqGds! • In!some!cases,!IPs!are!brought!online!in!small!chunks! •
The!name!server!IPs!also!have!the!same!fingerprint! • CombinaAon!of!these!different!indicators!has!made! predicAons!100%!accurate!for!the!past!months.!Bad!actors! change!their!MO,!but!this!approach!works!on!other!abacks! • I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!
65.
Conclusion! • PredicAve!threat!detecAon!based!on:! • Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)! !and!! •
hosAng!infrastructure! • Shut!down!the!bad!actors!infrastructure!at!the!hosAng! provider;!reseller!level!or!lowest!common!upstream! ancestor!(with!bad!reputaAon!and!repeated!offenses)!
66.
References! • Discovering!Fast!Flux!domains!using!Machine!Learning! !Presented!at!BSides$New$Orleans$2013$ • Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet! !Presented!at!APWG$eCrime$2013$ •
Fast!detecAon!of!malicious!domains!using!DNS! !Presented!at!BSides$Raleigh$2013$ • The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast! Flux!Botnet!“Unleashed”!! !Presented!at!BotConf$2013$ !
67.
Contact!Info! • Contact!me!at!dhia@opendns.com!if!you!are! interested!in:! • Asking!quesAons! •
CollaboraAng! • Twiber!@DhiaLite! • Blogs!hbp://labs.umbrella.com/author/dhia/!
68.
Thank!you! ! (Q!&!A)!
Download now