Submit Search
Upload
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
•
4 likes
•
3,134 views
OpenDNS
Follow
OpenDNS Senior Security Researcher Dhia Mahjoub's presentation from SOURCE Boston 2014.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 68
Download now
Download to read offline
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
Recommended
Big deal big data
Big deal big data
Praveen Sripati
Threat Detection: Recognizing Risks In Email And On The Web
Threat Detection: Recognizing Risks In Email And On The Web
Donald McArthur
Graph Processing Applications @ HUG
Graph Processing Applications @ HUG
Praveen Sripati
Where does hadoop come handy
Where does hadoop come handy
Praveen Sripati
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
Jason Trost
Southeast Asia's Top 75 FinTech Startups Report
Southeast Asia's Top 75 FinTech Startups Report
Techsauce Media
Web services based workflows to deal with 3D data
Web services based workflows to deal with 3D data
Jose Enrique Ruiz
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
More Related Content
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Jose Enrique Ruiz
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
gdusbabek
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
Nicolas Bettenburg
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
NBER
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
LucaCinquini
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
Just the basics_strata_2013
Just the basics_strata_2013
Ken Mwai
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
SPb_Data_Science
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
Jose Enrique Ruiz
Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
(14)
VO web-services-based astronomy workflows
VO web-services-based astronomy workflows
Rackspace Cloud Monitoring - Strata NYC
Rackspace Cloud Monitoring - Strata NYC
Dns reflection attacks webinar slides
Dns reflection attacks webinar slides
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
An Empirical Study on the Risks of Using Off-the-Shelf Techniques for Process...
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Jackson nber-slides2014 lecture1
Jackson nber-slides2014 lecture1
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
ApacheCon NA 2013 VFASTR
ApacheCon NA 2013 VFASTR
RIPE 70 Report Webinar
RIPE 70 Report Webinar
Just the basics_strata_2013
Just the basics_strata_2013
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Meetup#4, Smart.Data@OK.ru
Meetup#4, Smart.Data@OK.ru
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Curating and Preserving Collaborative Digital Experiments
Curating and Preserving Collaborative Digital Experiments
More from OpenDNS
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
OpenDNS
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Docker at OpenDNS
Docker at OpenDNS
OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
OpenDNS
Defcon
Defcon
OpenDNS
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
OpenDNS
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
OpenDNS
Cryptolocker Webcast
Cryptolocker Webcast
OpenDNS
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
More from OpenDNS
(20)
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
What Happens Before the Kill Chain
What Happens Before the Kill Chain
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
Docker at OpenDNS
Docker at OpenDNS
IP Routing, AWS, and Docker
IP Routing, AWS, and Docker
Defcon
Defcon
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
Cryptolocker Webcast
Cryptolocker Webcast
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
Recently uploaded
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Bhuvaneswari Subramani
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Recently uploaded
(20)
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
1.
! Marauder or Scanning
your DNSDB for Fun and Profit Dhia!Mahjoub! OpenDNS! April!10th,!2014! Boston!
2.
Short!Bio! • Senior!Security!Researcher!at!OpenDNS! • PredicAve!threat!detecAon!based!on!DNS!traffic!and! hosAng!infrastructure!analysis! •
CS!PhD!graduate!from!Southern!Methodist!University! !!!!IIIIIII>!Go!Mustangs!! ! • Graph!Theory!applied!on!Wireless!Sensor!Networks! problems!(network!lifeAme,!rouAng)! • Enjoyed!wriAng!sniffers,!port!scanners!in!C…!
3.
Outline! • DNSDB! • Marauder! •
ImplementaAon! • ASN!graph! • Use$case$1:$Suspicious!Sibling!Leaf!ASNs!! • Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth! • Use$Case$3:!ASN(s)!abused!or!lax!about!content! • Marauder:!PlaZorm,!tools,!libraries!used! • Marauder!in!acAon! • Use$case$4:!Malicious!subIallocated!ranges! • Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure! • Conclusion!
4.
querylogs! authlogs! DNS$data$
5.
OpenDNS’!Network!Map!
6.
$ DNSDB$ $
7.
Passive!DNS! • Introduced!by!Florian!Weimar!in!2004! • Passive!DNS!builds!zone!replicas!without! cooperaAon!from!zone!administrators! •
Captures!messages!between!DNS!servers! • Messages!are!processed,!deIduplicated,!and!DNS! records!are!consolidated!in!an!indexed!database! !I>!Historical!DNS!database!(DNSDB)!
8.
Passive!DNS!(cont’d)! !Various!Services! 1. hbp://www.bd.de/bd_dnslogger_en.html! 2. DNSDB!(Farsight!Security)! hbps://www.dnsdb.info/! 3.
Umbrella!SGraph!(reIdubbed!InvesAgate)! hbps://sgraph.opendns.com/main! 4. VirusTotal!DNSDB! • hbps://github.com/gamelinux/passivedns! • hbps://github.com/chrislee35/passivednsIclient!
9.
Why!is!DNSDB!useful?! D! D! D! D! IP! IP! NS! IP! NS! +$TIME$ Domain! IP!address! Name!server!
10.
Streaming!AuthoritaAve!DNS! • Tap!into!processed!authoritaAve!DNS!stream!before! it’s!consolidated!into!a!persistent!DB! • asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type! •
Faster! • 100s!–!1000s!entries/sec!(from!subset!of!resolvers)! • Need!to!implement!your!own!filters,!detecAon! heurisAcs!
11.
$ Marauder$ $
12.
Marauder! • Maraud!(def):!To!rove!and!raid!in!search!for!plunder! • MarAn!BI26!Marauder! •
WW2!mediumIrange!bomber! • Pacific,!Mediterranean,!Western!Europe!theaters!
13.
Marauder! • Cruise!the!IP,!DNS!space!in!search!for!new!aback! domains,!IP!infrastructures!!
14.
ImplementaAon! 1. IP!watchlist!+!domain!filter(s)!+!more!post!detecAon! filter(s)! • IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to! build!malicious/suspicious!IP!lists! 2.
Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,! age,!traffic!volume!
15.
Building!the!IP!watchlist!! Mo<va<on! • Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs! from!a!new!perspecAve! • Look!beyond!the!simple!counAng!of!number!of!bad! domains,!bad!IPs!hosted!on!prefixes!of!an!ASN! How$?$ •
Look!at!topology!of!AS$graph$ • Look!at!smaller!granularity!than!BGP!prefix:!! !subGallocated$ranges$within!BGP!prefixes!
16.
AS!graph! • BGP!rouAng!tables! • Valuable!data!sources! •
Routeviews!hbp://archive.routeviews.org/bgpdata/! • CidrIreport!hbp://www.cidrIreport.org/as2.0/! • Hurricane!Electric!database!hbp://bgp.he.net/! • Your!own!rouAng!tables!if!you!operate!your!own! worldwide!BGP!routers! • 500,000+$BGP$prefixes$ • 46,000+$ASNs$
17.
AS!graph! • Route!Views!hbp://archive.routeviews.org/bgpdata/!
18.
AS!graph! • Cidr!Report!hbp://www.cidrIreport.org/as2.0/!
19.
AS!graph! • Hurricane!Electric!database!hbp://bgp.he.net/!
20.
AS!graph! • Show!one!line!of!the!BGP!rouAng!table! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! •
The!AS!graph!changes!constantly:! • New!prefixes!(with!their!routes)!are!announced! • Old!prefixes!are!dropped! • IntenAonal,!human!error,!hardware!faults,!or!malicious!
21.
AS!graph!
22.
AS!graph! • TABLE_DUMP2|1392422403|B|96.4.0.55|11686| 67.215.94.0/24|11686!4436!2914!36692|IGP| 96.4.0.55|0|0||NAG||! • We!can!extract!two!types!of!useful!data:! !1.!Upstream!and!downstream!ASNs!of!every!ASN! !2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)! •
pyasn,!Python!IP!to!ASN!lookup!module!! !hbps://code.google.com/p/pyasn/! • Team!Cymru!IP!to!ASN!mapping! • GeoIPASNum.dat!from!maxmind! • curl!ipinfo.io/8.8.8.8/org!
23.
AS!graph! • Build!AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! •
TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24| 11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
24.
AS!graph! • Directed!graph:!node=ASN,!a!directed!edge!from!an! ASN!to!an!upstream!ASN! Interes<ng$cases:$ • Leaf!ASNs!that!are!siblings,!i.e.!they!have!common! parents!in!the!AS!graph!(share!same!upstream!AS)! •
Cluster!the!leaves!by!country! • Find!interesAng!paberns:!certain!siblings!in!certain! countries!are!delivering!similar!suspicious!campaigns!
25.
$ Use$Case$1:$ Suspicious$Sibling$leaf$ASNs$ $
26.
Leaf!ASNs!and!their!upstreams! • January!8th!topology!snapshot,!Ukraine,!Russia! • 10!sibling!leaf!ASNs!with!2!upstream!ASNs! •
/23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX! • !TrojanIDownloader.Win32.Ldmon.A! • hbp://telussecuritylabs.com/threats/show/TSL20130715I08!
27.
Leaf!ASNs!and!their!upstreams!
28.
Leaf!ASNs!and!their!upstreams! • February!21st!topology!snapshot,!Ukraine,!Russia! ! • AS31500!detached!itself!from!the!leaves!(stopped! announcing!their!prefixes)! •
More!leaves!started!hosAng!suspicious!payload!domains! • 3100+!malware!domains!on!1020+!IPs!hosAng!malware!
29.
Leaf!ASNs!and!their!upstreams! • Taking!a!sample!of!160!live!IPs! • Server!setup!is!similar:! 50!IPs!with:! 22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$ protocol$2.0)$ 8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$ Service$Info:$OS:$FreeBSD$ ! 108!IPs!with:$ 22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$ 80/tcp$open$$h[p?$
30.
Leaf!ASNs!and!their!upstreams! • The!payload!url!were!live!on!the!enAre!range!of!IPs! before!any!domains!were!hosted!on!them! • So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance! •
hbp://pastebin.com/X83gkPY4! $
31.
$ Use$Case$2:$ ASN$abused$or$lax$about$shady$ content$ $
32.
33.
Example!ASNs!abused!or!lax! • Wordstream!hosAng!fake!merchandise,!Exploit!kit! domains,!XXX!themed!sites,!etc! • Resellers!using!IP!space!of!larger!providers! •
e.g.!IxamIhosAng!uses!Voxility! • Other!abused!ASNs!like!OVH,!LeaseWeb,!etc! • Ranking!of!ASNs:!sitevet.com! $
34.
$ Use$Case$3:$ Rogue$ASN$deGpeered$or$gone$ stealth$$ $
35.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy! Sergeevich!86400! • Serving!browlock,!porn,!radical!forums,!spam,!etc! •
“PE!Ivanov!Vitaliy!Sergeevich!malware”!
36.
Rogue!ASN!deIpeered!or!gone!stealth! Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!
37.
Rogue!ASN!deIpeered!or!gone!stealth!
38.
Rogue!ASN!deIpeered!or!gone!stealth! • AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400! • 176.103.48.0/20!48031! •
193.169.86.0/23!48031! • 193.203.48.0/22!48031! • 193.30.244.0/22!48031! • 194.15.112.0/22!48031! • 196.47.100.0/24!48031! • 91.207.60.0/23!48031! • 91.213.8.0/24!48031! • 91.217.90.0/23!48031! • 91.226.212.0/23!48031! • 91.228.68.0/22!48031! • 93.170.48.0/22!48031! • 94.154.112.0/20!48031!
39.
Rogue!ASN!deIpeered!or!stealth!
40.
Rogue!ASN!deIpeered!or!stealth!
41.
$ Marauder:$Pla_orm,$tools,$ libraries$used$ $
42.
PlaZorm!and!tools!used! IHadoop!cluster! ! IRaw!logs!on!HDFS! ! IIndexed!DNSDB!in!HBase! ! IPython,!shell,!Gnu!Parallel! ! IStreaming,!zmq! !
43.
Python!libraries! • Happybase:!developerIfriendly!Python!library!to! interact!with!Apache!HBase! !hbp://happybase.readthedocs.org/en/latest/! !Column!I>!value! !Single!row:!domain,$<me,$type,$IP$G>$TTL$ • Search!DNSDB!by!IP,!name! •
Forward!lookup!for!domain!to!get!history!of!IPs,!TTL! • Inverse!lookup!for!IP!to!get!mapping!domain(s)!over! Ame!
44.
Python!libraries! • Happybase:!! import$happybase$ #protect$in$a$try$catch$ connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$ table$=$connec<on.table('authlogs')$ _domain$=$“google.com”$ for$key,$data$in$table.scan(row_prefix=_domain):$ $domain,<me,type,$ip$=$key.split(":")$ $ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$
45.
Python!libraries! • IPy:!Python!class!and!tools!for!handling!of!IPv4!and! IPv6!addresses!and!networks! !hbps://github.com/haypo/pythonIipy/wiki! !Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$ !from$IPy$import$IP$ $cidr$=$IP('127.0.0.0/30')$ $for$ip$in$cidr:$ $ $print$ip$
46.
Python!libraries! • PySubnetTree:!Python!data!structure!SubnetTree! which!maps!subnets!given!in!CIDR!notaAon!to! Python!objects.!! • Lookups!are!performed!by!longestIprefix!matching.! !hbp://www.bro.org/download/README.pysubnebree.html! !Use!it!to!map!IP!to!BGP!prefix!and/or!ASN! !! •
A!row!in!the!prefix!to!ASN!database!(file):! $1.22.232.0/24$45528$
47.
Python!libraries! • PySubnetTree:!! Load!pref_asn!db!then!do!lookups!on!IPs! import$SubnetTree$ pref_asn_db$=$SubnetTree.SubnetTree()$ f_pref_asn$=$open(“prefGasn",$'r')$ ….$ pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$ ip$=$“1.22.232.7”$ cidr$=$pref_asn_db[ip].split()[0]$
48.
Python!libraries! • PyASN:!Python!extension!module!(wriben!in!C)!that! allows!to!perform!very!fast!IP!to!ASN!lookups! !hbps://code.google.com/p/pyasn/! • pygeoip:$Map!IP!to!country!code! hbps://pypi.python.org/pypi/pygeoip! •
networkx:!Python!package!to!manipulate!graphs! !hbp://networkx.github.io/! !
49.
$ Marauder$in$ac<on$ $
50.
Marauder!in!acAon! • Input:!IP,!BGP!prefix,!or!ASN! • Use!DNSDB!(HBase)! •
Use!auth!DNS!stream! HBase:$ 1) !IP:!direct!lookup! 2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU! parallel!processes!or!threads)!to!query!HBase!for!every!IP! 3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>! process!every!prefix!like!in!2)!
51.
$ Use$Case$4:$ Malicious$subGallocated$ranges$ $
52.
Malicious!subIallocated!ranges! • Case!of!OVH! • SubIallocated!ranges!reserved!by!same!suspicious! customers,!serving!Nuclear!Exploit!kit!domains! •
Users!are!lead!to!the!Exploit!landing!sites!through! malverAsing!campaigns,!then!malware!is!dropped!on! vicAms’!machines!(e.g.!zbot)! • Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$
53.
Malicious!subIallocated!ranges! • For!several!months,!OVH!ranges!were!abused! • Notable!fact:!IPs!were!exclusively!used!for!hosAng! Nuclear!Exploit!subdomains,!no!other!sites!hosted! ! ! !
54.
Malicious!subIallocated!ranges!
55.
Malicious!subIallocated!ranges! • Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014! 192.95.50.208!I!192.95.50.215! 198.50.183.68!I!198.50.183.71! 192.95.42.112!I!192.95.42.127! 192.95.6.112!I!192.95.6.127! 192.95.10.208!I!192.95.10.223! 192.95.7.224!I!192.95.7.239! 192.95.43.160!I!192.95.43.175! 192.95.43.176!I!192.95.43.191! 198.50.131.0!I!198.50.131.15!
56.
Malicious!subIallocated!ranges! • Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng! provider!hbp://www.besthosAng.ua/! • 31.41.221.143!2014I02I14!2014I02I14!0! •
31.41.221.142!2014I02I12!2014I02I14!2! • 31.41.221.130!2014I02I12!2014I02I14!2! • 31.41.221.140!2014I02I12!2014I02I12!0! • 31.41.221.139!2014I02I12!2014I02I12!0! • 31.41.221.138!2014I02I11!2014I02I12!1! • 31.41.221.137!2014I02I10!2014I02I11!1! • 31.41.221.136!2014I02I10!2014I02I11!1! • 31.41.221.135!2014I02I10!2014I02I10!0! • 31.41.221.134!2014I02I09!2014I02I19!10! • 31.41.221.132!2014I02I08!2014I02I09!1! • 31.41.221.131!2014I02I07!2014I02I08!1!
57.
Malicious!subIallocated!ranges! • Feb!14th,!bad!actors!moved!to!a!Russian!hosAng! provider!hbp://pinspb.ru/! • 5.101.173.10!2014I02I21!2014I02I22!1! •
5.101.173.9!2014I02I19!2014I02I21!2! • 5.101.173.8!2014I02I19!2014I02I19!0! • 5.101.173.7!2014I02I18!2014I02I19!1! • 5.101.173.6!2014I02I18!2014I02I18!0! • 5.101.173.5!2014I02I17!2014I02I18!1! • 5.101.173.4!2014I02I17!2014I02I17!0! • 5.101.173.3!2014I02I16!2014I02I17!1! • 5.101.173.2!2014I02I15!2014I02I16!1! • 5.101.173.1!2014I02I14!2014I02I15!1!
58.
Malicious!subIallocated!ranges! • Feb!22nd,!bad!actors!moved!back!to!OVH! ! ! • Notable!fact:!They!change!MO,!IPs!have!been! allocated!and!used!in!the!past!for!other!content!I>! evasion!technique!or!resource!recycling! •
But!during!all!this!Ame,!bad!actors!sAll!kept!the! name!server!infrastructure!on!OVH!on!ranges! reserved!by!same!customers!
59.
Malicious!subIallocated!ranges! • 198.50.143.73$2013G11G25$2014G02G24$91$ • 198.50.143.69$2013G11G25$2014G02G24$91$ •
198.50.143.68$2013G11G25$2014G02G24$91$ • 198.50.143.67$2013G11G26$2014G02G24$90$ • 198.50.143.65$2013G11G24$2014G02G23$91$ • 198.50.143.66$2013G11G25$2014G02G23$90$ • 198.50.143.64!2013I11I24!2014I01I25!62! • 198.50.143.75!2013I12I03!2013I12I10!7! • 198.50.143.79!2013I11I25!2013I12I10!15! • 198.50.143.78!2013I11I25!2013I12I10!15! • 198.50.143.74!2013I11I25!2013I12I10!15! • 198.50.143.72!2013I11I25!2013I12I10!15! • 198.50.143.71!2013I11I25!2013I12I10!15! • 198.50.143.76!2013I11I25!2013I12I09!14! • 198.50.143.70!2013I11I26!2013I12I09!13! • 198.50.143.77!2013I11I26!2013I12I05!9!
60.
Malicious!subIallocated!ranges! • hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/! • hbp://pastebin.com/SX5R69vY! •
hbp://pastebin.com/KuxpNJwV!
61.
Abused!TLDs! • Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)! • .pw!for!a!while! •
Take!down!campaign!with!MalwareMustDie! • Moved!to!.ru!and!.in.net! • Then!back!to!.pw!
62.
$ Use$Case$5:$ Predic<ng$malicious$domains$IP$ infrastructure$ $
63.
Malicious!subIallocated!ranges!(Feb!2014)! • For!Nuclear,!In!addiAon!to!subIallocated!ranges! reserved!by!same!actors!(for!OVH!case)! • The!live!IPs!all!have!same!server!setup!(fingerprint):! •
31.41.221.131!to!31.41.221.143! 22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$ 111/tcp$open$$rpcbind$ • 5.101.173.1!to!5.101.173.10! 22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$ 80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$ 111/tcp$open$$rpcbind$
64.
Malicious!subIallocated!ranges!(Feb!2014)! • 198.50.143.64!to!198.50.143.79! 22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$ 80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$ 445/tcp$filtered$microsoqGds! • In!some!cases,!IPs!are!brought!online!in!small!chunks! •
The!name!server!IPs!also!have!the!same!fingerprint! • CombinaAon!of!these!different!indicators!has!made! predicAons!100%!accurate!for!the!past!months.!Bad!actors! change!their!MO,!but!this!approach!works!on!other!abacks! • I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!
65.
Conclusion! • PredicAve!threat!detecAon!based!on:! • Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)! !and!! •
hosAng!infrastructure! • Shut!down!the!bad!actors!infrastructure!at!the!hosAng! provider;!reseller!level!or!lowest!common!upstream! ancestor!(with!bad!reputaAon!and!repeated!offenses)!
66.
References! • Discovering!Fast!Flux!domains!using!Machine!Learning! !Presented!at!BSides$New$Orleans$2013$ • Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet! !Presented!at!APWG$eCrime$2013$ •
Fast!detecAon!of!malicious!domains!using!DNS! !Presented!at!BSides$Raleigh$2013$ • The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast! Flux!Botnet!“Unleashed”!! !Presented!at!BotConf$2013$ !
67.
Contact!Info! • Contact!me!at!dhia@opendns.com!if!you!are! interested!in:! • Asking!quesAons! •
CollaboraAng! • Twiber!@DhiaLite! • Blogs!hbp://labs.umbrella.com/author/dhia/!
68.
Thank!you! ! (Q!&!A)!
Download now