Experiências com um Honeypot DNS: Caracterização e Evoluão do Tráfego Malicioso
Resumo
O Domain Name System (DNS) desempenha um papel central no funcionamento da Internet, sendo responsável por traduzir nomes mnemônicos em endereços IP. No entanto, o DNS possui certas vulnerabilidades estruturais de segurança, que permitem que ele seja atacado ou usado como instrumento de ataque a terceiros. Atualmente, uma grande preocupação são os ataques distribuídos de negação de serviço por reflexão (Distributed Reflection Denial of Service, DRDoS), que se aproveitam de servidores DNS mal configurados para saturar vítimas com tráfego. Este artigo introduz o DNSpot, um honeypot específico para DNS que permite que atacantes interajam com um servidor DNS recursivo aberto de forma controlada. O artigo também apresenta uma análise do tráfego DNS observado pelo honeypot durante dois períodos, em 2015 (49 dias) e 2016–2017 (250 dias), com foco em ataques DRDoS, destacando também aspectos notáveis do comportamento de atacantes.
Referências
Abley, J., Gudmundsson, O., and Majkowski, M. (2017). Providing minimalsized responses to DNS queries that have QTYPE=ANY. IETF Draft draft-ietf-dnsoprefuse-any-04 (Proposed standard). Disponível em https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-04.
Akamai (2017). Q1 2017 state of the Internet/security report. Technical report. Disponível em http://www.akamai.com/.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
Arbor (2017). Worldwide infrastructure security report, vol. XII. Technical report, Arbor Networks. Disponível em http://www.arbornetworks.com/.
Atlasis, A. (2017). An attack-in-depth analysis of multicast DNS and DNS service discovery. In Hack in the Box, Amsterdam. Disponível em http://tinyurl.com/ycybxp59.
Barbosa, K. R. and Pereira, E. S. J. (2009). Análise passiva do tráfego DNS da Internet brasileira. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 203–216.
Brownlee, N., Claffy, K. C., and Nemeth, E. (2001). DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), San Antonio, TX.
Castro, S., Zhang, M., John,W.,Wessels, D., and Claffy, K. C. (2010). Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis Workshop (TMA), pages 1–6, Zurich, Switzerland.
CERT.br (2016). Recomendações para melhorar o cenário de ataques distribuídos de negação de serviço (DDoS). Disponível em http://www.cert.br/docs/whitepapers/ddos/.
Cheshire, S. and Krochmal, M. (2013). DNS-based service discovery. RFC 6763.
Conrad, D. (2012). Towards improving DNS security, stability, and resiliency. Technical report, Internet Society.
Danzig, P. B., Obraczka, K., and Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review, 22(4):281–292.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., and Duan, H. (2013). An empirical reexamination of global DNS behavior. ACM SIGCOMM Computer Communication Review, 43(4):267–278.
Jung, J., Sit, E., Balakrishnan, H., and Morris, R. (2002). DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589–603.
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., and Holz, T. (2015). Going wild: Large-scale classification of open DNS resolvers. In Internet Measurement Conference (IMC), pages 355–368, Tokyo, Japan.
MacFarland, D. C., Shue, C. A., and Kalafut, A. J. (2017). The best bang for the byte: Characterizing the potential of DNS amplification attacks. Computer Networks, 116:12–21.
Mockapetris, P. (1987). Domain names – concepts and facilities. RFC 1034.
Perdisci, R., Corona, I., Dagon, D., and Lee,W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Annual Computer Security Applications Conference (ACSAC), pages 311–320, Honolulu, HI.
Steding-Jessen, K., Vijaykumar, N. L., and Montes Filho, A. (2008). Using lowinteraction honeypots to study the abuse of open proxies to send Spam. InfoComp, 7(1):44–52.
Takano, Y., Ando, R., Takahashi, T., Uda, S., and Inoue, T. (2013). A measurement study of open resolvers and DNS server version. In Internet Conference (IEICE).
Tanasi, A. (2014). Homemade custom interaction DNS honeypot. Disponível em http://tinyurl.com/y955ohns.
Van Impe, K. (2015). Analyzing queries on a honeypot name server for better DNS log quality. Security Intelligence. Disponível em http://tinyurl.com/ybsze9zd.
van Rijswijk-Deij, R., Sperotto, A., and Pras, A. (2014). DNSSEC and its potential for DDoS attacks: A comprehensive measurement study. In Internet Measurement Conference (IMC), pages 449–460, Vancouver, BC, Canada.
Zdrnja, B., Brownlee, N., and Wessels, D. (2007). Passive monitoring of DNS anomalies. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 129–139, Lucerne, Switzerland.
Zhao, G., Xu, K., Xu, L., and Wu, B. (2015). Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access, 3:1132–1142.
Akamai (2017). Q1 2017 state of the Internet/security report. Technical report. Disponível em http://www.akamai.com/.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
Arbor (2017). Worldwide infrastructure security report, vol. XII. Technical report, Arbor Networks. Disponível em http://www.arbornetworks.com/.
Atlasis, A. (2017). An attack-in-depth analysis of multicast DNS and DNS service discovery. In Hack in the Box, Amsterdam. Disponível em http://tinyurl.com/ycybxp59.
Barbosa, K. R. and Pereira, E. S. J. (2009). Análise passiva do tráfego DNS da Internet brasileira. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 203–216.
Brownlee, N., Claffy, K. C., and Nemeth, E. (2001). DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), San Antonio, TX.
Castro, S., Zhang, M., John,W.,Wessels, D., and Claffy, K. C. (2010). Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis Workshop (TMA), pages 1–6, Zurich, Switzerland.
CERT.br (2016). Recomendações para melhorar o cenário de ataques distribuídos de negação de serviço (DDoS). Disponível em http://www.cert.br/docs/whitepapers/ddos/.
Cheshire, S. and Krochmal, M. (2013). DNS-based service discovery. RFC 6763.
Conrad, D. (2012). Towards improving DNS security, stability, and resiliency. Technical report, Internet Society.
Danzig, P. B., Obraczka, K., and Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review, 22(4):281–292.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., and Duan, H. (2013). An empirical reexamination of global DNS behavior. ACM SIGCOMM Computer Communication Review, 43(4):267–278.
Jung, J., Sit, E., Balakrishnan, H., and Morris, R. (2002). DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589–603.
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., and Holz, T. (2015). Going wild: Large-scale classification of open DNS resolvers. In Internet Measurement Conference (IMC), pages 355–368, Tokyo, Japan.
MacFarland, D. C., Shue, C. A., and Kalafut, A. J. (2017). The best bang for the byte: Characterizing the potential of DNS amplification attacks. Computer Networks, 116:12–21.
Mockapetris, P. (1987). Domain names – concepts and facilities. RFC 1034.
Perdisci, R., Corona, I., Dagon, D., and Lee,W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Annual Computer Security Applications Conference (ACSAC), pages 311–320, Honolulu, HI.
Steding-Jessen, K., Vijaykumar, N. L., and Montes Filho, A. (2008). Using lowinteraction honeypots to study the abuse of open proxies to send Spam. InfoComp, 7(1):44–52.
Takano, Y., Ando, R., Takahashi, T., Uda, S., and Inoue, T. (2013). A measurement study of open resolvers and DNS server version. In Internet Conference (IEICE).
Tanasi, A. (2014). Homemade custom interaction DNS honeypot. Disponível em http://tinyurl.com/y955ohns.
Van Impe, K. (2015). Analyzing queries on a honeypot name server for better DNS log quality. Security Intelligence. Disponível em http://tinyurl.com/ybsze9zd.
van Rijswijk-Deij, R., Sperotto, A., and Pras, A. (2014). DNSSEC and its potential for DDoS attacks: A comprehensive measurement study. In Internet Measurement Conference (IMC), pages 449–460, Vancouver, BC, Canada.
Zdrnja, B., Brownlee, N., and Wessels, D. (2007). Passive monitoring of DNS anomalies. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 129–139, Lucerne, Switzerland.
Zhao, G., Xu, K., Xu, L., and Wu, B. (2015). Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access, 3:1132–1142.
Publicado
06/11/2017
Como Citar
HEINRICH, Tiago; LONGO, Felipe de Souza; OBELHEIRO, Rafael R..
Experiências com um Honeypot DNS: Caracterização e Evoluão do Tráfego Malicioso. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 292-305.
DOI: https://doi.org/10.5753/sbseg.2017.19507.
