Upload
vngundi
View
397
Download
3
Embed Size (px)
DESCRIPTION
Presentation by ICANN
Citation preview
DNS Security for CERTs- Attack Scenarios & Demonstrations –
Malicious Use
Chris EvansDelta Risk, LLC
7 March 2010
1
What You Will Need for the Exercises
• Your Windows Terminal Server
– From Windows, Run ‘mstsc’
– From MAC, please download the Terminal Server Client from the wiki
– Run the DNS-Bot.vbs file when instructed
– Open a command prompt, and run
cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs
– Don’t forget – X is your student number
2
Description – Malicious Use
• Using the DNS to propagate malware or conduct attacks in a malicious manner, yet consistent with the DNS protocols
– BotNet Command & Control (indirect)
– Amplification Attacks (direct)
• These attacks do not necessarily target DNS servers – rather, they use your servers to conduct an attack elsewhere
3
NS
Victim
Case Study – Conficker
• Conficker - the Conficker worm appeared in late 2008, with most of the attention starting in Jan/Feb of 2009.
– The worm used pseudo-randomly generated domains from several top level domains (ccTLDs included) as its command and control points.
– The worm would contact servers on these random domains for instructions.
4
Case Study – Conficker
• The Conficker Working Group (Conficker Cabal) was started to address response actions to the worm
– Comprised of businesses, DNS operations, Internet organizations, and security researchers
– Requested top level organizations with suspected domain names involved in Conficker to register them in hopes of preempting Conficker activity
• Conficker mutated to thwart activity of the Working Group and started using P2P methods vs. DNS
5
How Should a ccTLD React to a Request to Register (at no cost)
Hundreds of Domain Names to Prevent Malicious Activity?
Attack Demonstration
• The “DNS Bot” receives its instructions and sends information back to the hacker via DNS
6
NS
DNS-Bot.vbs
Caching
Server
Rogue
Server
Double-click
Run Command &
Post Results
Remember, the bot won’t do
anything malicious!
Demonstration – Attacker View
• Rogue DNS Bind File & Web Post Directory
7
Demonstration – Server View
8
Demonstration – User View
• Please run your bot now
– Open a command prompt and run the command:
cscript.exe
c:/users/studentX/Desktop/DNS-Bot.vbs
• wireshark view
9
Demonstration – User View
• If you’d like to start Wireshark…
– Double click icon on desktop
– Select Options from Capture Menu
– In “capture filter” type port 53
– Click “Start”
10
Demonstration – User View
11
Encoded
Data Sent to
DNS Server
Demonstration – User View
• The bot will periodically request instructions over DNS from a rogue DNS server (192.168.85.5)
– Can you find the rogue DNS server with wireshark or DNS tools?
• The bot will execute the instructions:
– Wait, Download a File, Run a Command & Post Results, Quit
– Can you “reverse engineer” the instructions?
– Can you see what is being posted?
12
Impact
• DNS resources used for malicious purposes
• Possible brand or reputation loss due to apparent attacks originating from servers
• Widespread bot proliferation
13
Mitigation & Response Strategies
• Domain “Blackholes” – but only if domains don’t change rapidly – you have to keep up!
• Strengthen registrant information validation
• Develop policies for determining what’s malicious
• Add detection mechanisms for malicious use
– Host based (Antivirus, patching, etc)
– Network based (traffic & domain analysis)
• Develop policies for domain takedown
• Develop cooperative agreements with other registries, CERTs, law enforcement, and security organizations to address malicious use scenarios
14
Questions?
15
?