DNS Wildcards Abuse in China

----From passive DNS perspectiveNetwork Security Research Lab @QIHOO 360

Zhang Zaifeng

Agenda

• About passiveDNS.cn• What is DNS Wildcards Abuse (DWA)• How DWA operates• Measure DWA

About passiveDNS.cn

• About 10% DNS traffic in China– The First and largest public known passive DNS

database in China– Open to security community (nsp-sec, ops-trust)

• DNS requests: 900,000 q/s• From 2014-08-05 till 2015-08-26– DNS RRsets: 5.7 billion– DNS RDATAs: 17.2 billion– Unique domains: 4.6 billion

• DNS wildcard– A wildcard DNS record is a record in a DNS zone that

matches requests for non-existent domain names. A wildcard DNS record is specified by using a "*" as the leftmost label (part) of a domain name. ----from wikipedia.org

– Domain is configured with a wildcard record » *.example.com IN A 1.2.3.4

– Any subdomains for zone example.com will be pointed to 1.2.3.4

What is DWA

• DNS wildcards Abuse (DWA)– Methods:• Register lots of domains• All these domains have wildcards records enabled• Most FQDN webpage has duplicate or nonsensical

contents • Most pages link or cross-refer each other

– Purpose• Black hat SEO• Possible evade firewall blocking rules

What is DWA cont.

Example• Domain style:– like DGA, but no NXDOMAINs– Random prefix subdomains– MANY (sub)domains VS SINGLE IP address

• Domain style:– MANY (sub)domains VS MULTIPLE IP addresses

Example cont.

Example cont.• Domain style:– New gTLD(science) also involves

• What’s the real webpage looks like?• The following pages show 3 different sites with similar

page structure, layout and content– All pages have some sort of medical rewards, photo of a middle

age doctor, a nice hospital facility etc.

Website 1

Website 2

Website 3

• Take a look at the page html– Here it shows: The ultimate killer team for medical DWA with its

website and customer service QQ number

– Another slogan: The newest ranking technology which circumvents search engine blocking

DWA webpage source

• General steps:– prepare domain/ Virtual Private Servers(VPS)– Pick Keywords for search engine– Generate (Fake) Original content (to be used by search engine)– Site goes live

• Prepare domain/VPS– Purchase domains– Purchase VPS– Domains go live– Generate subdomains

How it operates

• from almighty taobao.com• So cheap when a mass of domains

Purchase Domains

• Same as domain, from almighty taobao.com• So many Dedicated VPS for DWA• The industry chain is full-blown.

Purchase VPS

• Have loads of domains and corresponding VPS– Resolving them are time-consuming and very boring– No worries, there are tools to make things easier

Domains go live

• Automatic generating all kinds of subdomains according your configurations – Pinyin(拼音 ) subdomains– Random subdomains

• digits-only, alphabets-only, mix of them

Generate subdomains

• Only one type of DWA?– Absolutely NOT! – Domain shadowing

DWA Variation

• Legit DNS server took over– Gambling sites– TLDs are gov.cn which used by Chinese government.

DWA Variation cont.

• Government sites are mainly targets.– Many government sites are poor managed, attack the

registrant accounts are easy – Rank higher in search engines

• Advantages:– Economy. No need to purchase lots of domains– Efficient. Many search engines rank government sites

higher• Disadvantages:– High risk. You don’t want get caught

DWA Variation cont.

• Select and verify DWA– Select

• Domain registered in China but server IPs are located overseas• Has wildcards records• Not CDN domains/dynamic domains/popular domains(Alexa Top 100k)• Not special IPs

– Sinkhole IPs– Domain parking/reselling

• Other filters …– Verify

• data– 20150515~20150521 , 948,005 domains– 350,282 valid domains (site is live with page title)

• result– Pornographic sites: 45%– Gamble sites:15%– Misconfiguration:9%– Normal business:8%– TrafficDirectionSystem:7%– Others:16%

• And let’s see the detail statistics

How we Measure DWA

• Active domains – second level domain(SLD)– All tld:21481/day– Cn:8649/day

Measure DWA

150113 150126 150208 150221 150306 150319 150401 150414 150427 150510 150523 150605 150618 150702 150715 150731 150813 1508260

10000

20000

30000

40000

50000

60000

total_numcn_numgov_cn_numac_cn_numscience_num

• Active domains – SLD– Zoom in the ac.cn/science/gov.cn curve– About ac.cn

• ac.cn is used for academic institute in China. Avg:646/day

– About gov.cn• Gov.cn is a index which reflect the security of government sites. Avg: 67/day

– About .science• First seen at 20150403, Burst at 20150415, highest point 20150618. Avg:377/day

Measure DWA cont.

1501131501251502061502181503021503141503261504071504191505011505131505251506061506181506301507131507281508091508210

500

1000

1500

2000

2500

3000

3500

gov_cn_numac_cn_numscience_num

• Active domains – Full Qualified Domain Name(FQDN)– .Ac.cn avg:9296/day. FDQN/SLD: 15X– .gov.cn is stable . Avg:1245/day FQDN/SLD : 18.6X– .science Avg:5256/day FQDN/SLD: 14X– What’s wrong with ac.cn in 20150303?

Measure DWA cont.

150113 150126 150208 150221 150306 150319 150401 150414 150427 150510 150523 150605 150618 150701 150714 150731 150813 1508260

20000

40000

60000

80000

100000

120000

140000

160000

gov_cn_numac_cn_numscience_num

• Active domains – FQDN– The spike of ac.cn at 20150302~20150304

• About 50 SLDs, which had large number of sub-domains had same style, just like following:

Measure DWA cont.

• Active domains – SLD– Other new gTLDs(exclude .science)

• top(4080/day), xyz(384/day), party(259/day), club(165/day),website(43/day)

Measure DWA cont.

150703

150705

150707

150710

150712

150714

150718

150721

150723

150725

150727

150729

150731

150802

150804

150806

150808

150810

150812

150814

150816

150818

150820

150822

150824

1508260

1000

2000

3000

4000

5000

6000

7000

8000

xyztoppartyclubwebsite

• Active Servers IPs– Avg:15,082/day

Measure DWA cont.

150114 150127 150209 150222 150307 150320 150402 150415 150428 150511 150524 150606 150619 150703 150718 150801 1508140

5000

10000

15000

20000

25000

30000

uniq_ip_num

uniq_ip_num

• Sever IP distribution– 83% located in US– 13% located in HK, Japan and Taiwan– Top 10 ASn: 68% , 8/10 ASn located in US, 2/10 ASn located in HK.

Measure DWA cont.

20%

12%

12%

5%4%3%

3%3%

3%2%

2%2%1%

26%

IP distribution/ASnAS18978 Enzu Inc

AS15003 Nobis Technology Group

AS40676 Psychz Networks

AS20248 Take 2 Hosting, Inc.

AS35908 Krypt Technologies

AS38197 Sun Network (HK) LLC

AS54600 PEG TECH INC

AS53755 Input Output Flood LLC

AS18779 EGIHosting

AS17444 New World Telephone

AS8100 QuadraNet, Inc

AS22552 eSited Solutions

AS17139 Corporate Colocation Inc.

otherUS

83%

HK11%

JP1%

TW1%

other4%

IP distribution/country

US

HK

JP

TW

other

Measure DWA cont.

• Life time distribution– 86% FQDN’s life less than one day– 42% SLD’s life less than one day

[0,1)86%

[1,7)5%

[7,32)3%

[32,)6%

FQDN_num/lived_days

[0,1)

[1,7)

[7,32)

[32,)

[0,1)42%

[1,7)18%

[7,32)14%

[32,)25%

SLD_num/lived_days

[0,1)

[1,7)

[7,32)

[32,)

Measure DWA cont.

• Domain access count distribution– 70% of the SLD, DNS requests less than 100.– 88% of the SLD, DNS requests less than 500.

(5000,)2%

(1000,5000]5%

(500,1000]4%

(100,500]18%

(0,100]70%

SLD_access_count

(5000,)(1000,5000](500,1000](100,500](0,100]

Measure DWA cont.

• Conclusion– DWA is popular – But, as a SEO trick, works not so good.

• From DNS request number and domain’s life time• From the slogan of “狗小云站群” (one of the DWA software’s

provider, http://q8888q.com/)– the only effectual DWA software all of the web

• Why so big scale, some reasons(maybe)– Not every webmaster know this conclusion.– Not just for SEO.

• Some type of domain flux• evade the FW/IPS/WAF’s blocking policy

reference• https://passivedns.cn• http://baike.baidu.com/view/3166471.htm• http://baike.baidu.com/view/8794895.htm• http://www.hxzhanqun.cn/shipinyanshi/• http://www.iisp.com/ztview/F_d020.html?s=netcn• http://www.cnkuai.cn/domain/domain_en_ac_cn.htm• http://www.163ns.com/help/495.html• http://www.royotech.com/pages/toolbox/articles/web/15.php• http://www.famousfourmedia.com/science/• http://register.science/• http://www.alpnames.com/• http://www.freehao123.com/alpnames-register-science/• http://q8888q.com/• http://tools.ietf.org/html/rfc4592• http://www.thesempost.com/google-dislikes-zombie-sub-domains/• http://www.kevstrong.com/technology/avoiding-ghost-sub-domains-and-duplicate-content/