SlideShare una empresa de Scribd logo

Role of DNS in Botnet Command and Control

OpenDNS
OpenDNS

See how botnets ha

Tecnología
1 de 24
Descargar para leer sin conexión
OpenDNS Security Talk The Role of DNS in Botnet Command & Control (C&C) Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
Topics DNS REFRESHER.
Domain Name System Refresher
How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
Role of DNS in Internet Threats (including Botnet C&C)
IRC, P2P and 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers. DATA THEFT
Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 Must Shutdown or Block All… •  Content Servers. •  Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 4.4.4.4 = 4.4.4.5 = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5) DNS TUNNELING An Infected Device TXT records. •  Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
Role of DNS in Internet-Wide Security
Visualize Threats & Characterize Patterns in Big Data
Visualizing One Day’s Worth of Blocked Malware, Botnet, or Phishing Domain Requests
What’s Next for DNS-based Security? •  More domain names to track. »  Internet still exponentially growing. »  ICANN received 2000+ applications for new TLDs (Top-Level Domains). •  Bigger and more complex DNS packets. »  DNS tunneling by botnets. »  DKIM (DomainKeys Identified Mail). »  AAAA records for IPv6 addresses. •  More DNS traffic. »  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. »  Browsers predictively pre-caching DNS requests.
Thank You for Attending! Continue the discussion: Email: david@opendns.com Twitter: @davidu

Recomendados

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AAKASH S
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Anonymous Network
Anonymous NetworkAnonymous Network
Anonymous Networkpauldeng
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 

Recomendados

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...
AASR Authenticated Anonymous Secure Routing for MANETs in Adversarial Environ...AAKASH S
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Anonymous Network
Anonymous NetworkAnonymous Network
Anonymous Networkpauldeng
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Tcp udp
Tcp udpTcp udp
Tcp udpProgrammer
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...CiNPA Security SIG
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerOpenDNS
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampAlexander Benoit
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2Kabul Education University
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityCheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Bo2004
Bo2004Bo2004
Bo2004Dan Kaminsky
 

Más contenido relacionado

Destacado

Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...CiNPA Security SIG
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerOpenDNS
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampAlexander Benoit
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityCheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 

Destacado (20)

Tcp udp
Tcp udpTcp udp
Tcp udp
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishing
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic Worker
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-Camp
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Os
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) Overview
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You Safe
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 

Similar a Role of DNS in Botnet Command and Control

Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technologySensePost
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Cloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryCloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryVeset
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The InternetCarl J. Levine
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptxMarioCruz664886
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 

Similar a Role of DNS in Botnet Command and Control (20)

Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)
 
Bo2004
Bo2004Bo2004
Bo2004
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Applied VoIP Security
Applied VoIP Security Applied VoIP Security
Applied VoIP Security
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Setiri : Advances in trojan technology
Setiri : Advances in trojan technologySetiri : Advances in trojan technology
Setiri : Advances in trojan technology
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
DDOS (1).ppt
DDOS (1).pptDDOS (1).ppt
DDOS (1).ppt
 
Cloud TV playout for disaster recovery
Cloud TV playout for disaster recoveryCloud TV playout for disaster recovery
Cloud TV playout for disaster recovery
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The Internet
 
DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Checkpoint Portfolio.pptx
Checkpoint Portfolio.pptxCheckpoint Portfolio.pptx
Checkpoint Portfolio.pptx
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 

Último

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Último (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Role of DNS in Botnet Command and Control

  • 1. OpenDNS Security Talk The Role of DNS in Botnet Command & Control (C&C) Please Watch the Recording via the Link Posted in the Comment Section Below for Context!
  • 2. Topics DNS REFRESHER.
  • 3. Domain Name System Refresher
  • 4. How It Works? STUB RECURSIVE AUTHORITATIVE CLIENTS NAME SERVERS NAME SERVERS root tld domain.tld
  • 5. So It’s a Protocol? Or a Database? No, It’s Both! REQUEST DISTRIBUTED PROTOCOL DATABASE QUERY RESOURCE domain name RECORDS RESPONSE e.g. domain name = IP address e.g. IP address ANY DEVICE RECURSIVE & AUTHORIATIVE ANY APPLICATION NAME SERVERS
  • 6.
  • 7. Role of DNS in Internet Threats (including Botnet C&C)
  • 8. IRC, P2P and 100s more Infected device “phones home”. Without user interaction, confidential data leaked to p2p.botnet.cn. Hacker collects data via botnet controller or bot peers. DATA THEFT
  • 9. Hackers Add Threat Mobility via DNS to Thwart Reactive Defenses IP FLUX via DNS RECORDS DOMAIN FLUX via DGA SAME QUERY, DIFFERENT RESPONSES DIFFERENT QUERIES, SAME RESPONSE paypalz.com ad.malware.cn p2p.botnet.com paypalz.com maltesefalcon.cn kjasdfsdfsaa.com = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypals.com visitmalta.cn kjasdfaasdf.com = 1.1.1.2 = 2.2.2.3 = 3.3.3.4 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 paypalz.com ad.malware.cn p2p.botnet.com paypall.com maltwhisky.cn ijiewfsfsjst.com = 1.1.1.3 = 2.2.2.4 = 3.3.3.5 = 1.1.1.1 = 2.2.2.2 = 3.3.3.3 Must Shutdown or Block All… •  Content Servers. •  Name Servers. ns.botnet.com ns.bonet.com ns.bonet.com … via DNS Records. = 4.4.4.4 = 4.4.4.5 = 4.4.4.6 DOUBLE IP FLUX via DNS RECORDS SAME NAME SERVER, DIFFERENT RESPONSES
  • 10. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown
  • 11. Hackers Distribute Botnet’s Architecture via DNS to Thwart Takedown (continued…)
  • 12. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 1) An Infected Device within On-Premises Network is Just One Vector ISP PROXY PROXY FIREWALL
  • 13. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 2) An Infected Device within On-Premises Network is Just One Vector ISP PROXY where is 11010. where is cnc.tld? 00110.where is PROXY cnc.tld? 01010. cnc.tld? FIREWALL
  • 14. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 3) where is An Infected Device 11010. where is within On-Premises cnc.tld? 00110.where is cnc.tld? Network is Just 01010. cnc.tld? One Vector ISP PROXY PROXY FIREWALL
  • 15. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 4) An Infected Device 11010. cnc.tld is 11010. within On-Premises cnc.tld is11010. at 01110 at 11100 cnc.tld is Network is Just at 11011 One Vector ISP PROXY PROXY FIREWALL
  • 16. Hackers Add Stealth via DNS Tunneling to Thwart Firewalls & Proxies (build 5) DNS TUNNELING An Infected Device TXT records. •  Bi-directional ~110kbps using within On-Premises 1998 -- Concept published. Network is community discussed. Just 2004 -- Security One--Vectorcommunity created exploit. 2008 Security 2011 -- 1st documented botnet to exploit it. ISP PROXY 11010. cnc.tld is 11010. cnc.tld is11010. at 01110 cnc.tld is PROXY at 11100 at 11011 FIREWALL
  • 17. If Hackers Have Evolved, So Should Your Defense-in-Depth Strategy! PAST PRESENT & FUTURE Hackers seek Cybercriminals seek fame & glory. fortune & politics. Malware disrupts Botnets penetrate your business. your networks. And roaming & mobile devices enter your networks. Your highest costs are Your highest costs are lost productivity leaked data & & IT remediation time. legal audit fees. After detection, After preventing as much you attempt to as reasonable since 100% prevent 100%. is no longer realizable, There’s a lot of you contain the rest. vectors, so a lot of solutions.
  • 18. Role of DNS in Internet-Wide Security
  • 19.
  • 20. Visualize Threats & Characterize Patterns in Big Data
  • 22.
  • 23. What’s Next for DNS-based Security? •  More domain names to track. »  Internet still exponentially growing. »  ICANN received 2000+ applications for new TLDs (Top-Level Domains). •  Bigger and more complex DNS packets. »  DNS tunneling by botnets. »  DKIM (DomainKeys Identified Mail). »  AAAA records for IPv6 addresses. •  More DNS traffic. »  More persistent threats due to DIY (do-it-yourself) kits for cybercriminals. »  Browsers predictively pre-caching DNS requests.
  • 24. Thank You for Attending! Continue the discussion: Email: david@opendns.com Twitter: @davidu