Experiências com um Honeypot DNS: Caracterização e Evoluão do Tráfego Malicioso
Abstract
The Domain Name System (DNS) plays a central role in the operation of the Internet, being responsible for translating user-friendly names into machine-friendly IP addresses. However, the DNS has certain structural security vulnerabilities which allow it to be attacked or used as a tool for attacking third parties. Currently, a major concern are Distributed Reflection Denial of Service (DRDoS) attacks, which leverage misconfigured DNS servers to flood victims with traffic. This paper introduces DNSpot, a DNS-specific honeypot that allows attackers to interact with an open recursive DNS server in a controlled manner. We also analyze the DNS traffic observed by this honeypot over two periods, in 2015 (49 days) and 2016–2017 (250 days), with a focus on DRDoS attacks, and highlight some noteworthy aspects of attacker behavior.
References
Abley, J., Gudmundsson, O., and Majkowski, M. (2017). Providing minimalsized responses to DNS queries that have QTYPE=ANY. IETF Draft draft-ietf-dnsoprefuse-any-04 (Proposed standard). Disponível em https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-04.
Akamai (2017). Q1 2017 state of the Internet/security report. Technical report. Disponível em http://www.akamai.com/.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
Arbor (2017). Worldwide infrastructure security report, vol. XII. Technical report, Arbor Networks. Disponível em http://www.arbornetworks.com/.
Atlasis, A. (2017). An attack-in-depth analysis of multicast DNS and DNS service discovery. In Hack in the Box, Amsterdam. Disponível em http://tinyurl.com/ycybxp59.
Barbosa, K. R. and Pereira, E. S. J. (2009). Análise passiva do tráfego DNS da Internet brasileira. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 203–216.
Brownlee, N., Claffy, K. C., and Nemeth, E. (2001). DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), San Antonio, TX.
Castro, S., Zhang, M., John,W.,Wessels, D., and Claffy, K. C. (2010). Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis Workshop (TMA), pages 1–6, Zurich, Switzerland.
CERT.br (2016). Recomendações para melhorar o cenário de ataques distribuídos de negação de serviço (DDoS). Disponível em http://www.cert.br/docs/whitepapers/ddos/.
Cheshire, S. and Krochmal, M. (2013). DNS-based service discovery. RFC 6763.
Conrad, D. (2012). Towards improving DNS security, stability, and resiliency. Technical report, Internet Society.
Danzig, P. B., Obraczka, K., and Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review, 22(4):281–292.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., and Duan, H. (2013). An empirical reexamination of global DNS behavior. ACM SIGCOMM Computer Communication Review, 43(4):267–278.
Jung, J., Sit, E., Balakrishnan, H., and Morris, R. (2002). DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589–603.
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., and Holz, T. (2015). Going wild: Large-scale classification of open DNS resolvers. In Internet Measurement Conference (IMC), pages 355–368, Tokyo, Japan.
MacFarland, D. C., Shue, C. A., and Kalafut, A. J. (2017). The best bang for the byte: Characterizing the potential of DNS amplification attacks. Computer Networks, 116:12–21.
Mockapetris, P. (1987). Domain names – concepts and facilities. RFC 1034.
Perdisci, R., Corona, I., Dagon, D., and Lee,W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Annual Computer Security Applications Conference (ACSAC), pages 311–320, Honolulu, HI.
Steding-Jessen, K., Vijaykumar, N. L., and Montes Filho, A. (2008). Using lowinteraction honeypots to study the abuse of open proxies to send Spam. InfoComp, 7(1):44–52.
Takano, Y., Ando, R., Takahashi, T., Uda, S., and Inoue, T. (2013). A measurement study of open resolvers and DNS server version. In Internet Conference (IEICE).
Tanasi, A. (2014). Homemade custom interaction DNS honeypot. Disponível em http://tinyurl.com/y955ohns.
Van Impe, K. (2015). Analyzing queries on a honeypot name server for better DNS log quality. Security Intelligence. Disponível em http://tinyurl.com/ybsze9zd.
van Rijswijk-Deij, R., Sperotto, A., and Pras, A. (2014). DNSSEC and its potential for DDoS attacks: A comprehensive measurement study. In Internet Measurement Conference (IMC), pages 449–460, Vancouver, BC, Canada.
Zdrnja, B., Brownlee, N., and Wessels, D. (2007). Passive monitoring of DNS anomalies. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 129–139, Lucerne, Switzerland.
Zhao, G., Xu, K., Xu, L., and Wu, B. (2015). Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access, 3:1132–1142.
Akamai (2017). Q1 2017 state of the Internet/security report. Technical report. Disponível em http://www.akamai.com/.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
Arbor (2017). Worldwide infrastructure security report, vol. XII. Technical report, Arbor Networks. Disponível em http://www.arbornetworks.com/.
Atlasis, A. (2017). An attack-in-depth analysis of multicast DNS and DNS service discovery. In Hack in the Box, Amsterdam. Disponível em http://tinyurl.com/ycybxp59.
Barbosa, K. R. and Pereira, E. S. J. (2009). Análise passiva do tráfego DNS da Internet brasileira. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), pages 203–216.
Brownlee, N., Claffy, K. C., and Nemeth, E. (2001). DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), San Antonio, TX.
Castro, S., Zhang, M., John,W.,Wessels, D., and Claffy, K. C. (2010). Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis Workshop (TMA), pages 1–6, Zurich, Switzerland.
CERT.br (2016). Recomendações para melhorar o cenário de ataques distribuídos de negação de serviço (DDoS). Disponível em http://www.cert.br/docs/whitepapers/ddos/.
Cheshire, S. and Krochmal, M. (2013). DNS-based service discovery. RFC 6763.
Conrad, D. (2012). Towards improving DNS security, stability, and resiliency. Technical report, Internet Society.
Danzig, P. B., Obraczka, K., and Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review, 22(4):281–292.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., and Duan, H. (2013). An empirical reexamination of global DNS behavior. ACM SIGCOMM Computer Communication Review, 43(4):267–278.
Jung, J., Sit, E., Balakrishnan, H., and Morris, R. (2002). DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589–603.
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., and Holz, T. (2015). Going wild: Large-scale classification of open DNS resolvers. In Internet Measurement Conference (IMC), pages 355–368, Tokyo, Japan.
MacFarland, D. C., Shue, C. A., and Kalafut, A. J. (2017). The best bang for the byte: Characterizing the potential of DNS amplification attacks. Computer Networks, 116:12–21.
Mockapetris, P. (1987). Domain names – concepts and facilities. RFC 1034.
Perdisci, R., Corona, I., Dagon, D., and Lee,W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Annual Computer Security Applications Conference (ACSAC), pages 311–320, Honolulu, HI.
Steding-Jessen, K., Vijaykumar, N. L., and Montes Filho, A. (2008). Using lowinteraction honeypots to study the abuse of open proxies to send Spam. InfoComp, 7(1):44–52.
Takano, Y., Ando, R., Takahashi, T., Uda, S., and Inoue, T. (2013). A measurement study of open resolvers and DNS server version. In Internet Conference (IEICE).
Tanasi, A. (2014). Homemade custom interaction DNS honeypot. Disponível em http://tinyurl.com/y955ohns.
Van Impe, K. (2015). Analyzing queries on a honeypot name server for better DNS log quality. Security Intelligence. Disponível em http://tinyurl.com/ybsze9zd.
van Rijswijk-Deij, R., Sperotto, A., and Pras, A. (2014). DNSSEC and its potential for DDoS attacks: A comprehensive measurement study. In Internet Measurement Conference (IMC), pages 449–460, Vancouver, BC, Canada.
Zdrnja, B., Brownlee, N., and Wessels, D. (2007). Passive monitoring of DNS anomalies. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pages 129–139, Lucerne, Switzerland.
Zhao, G., Xu, K., Xu, L., and Wu, B. (2015). Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access, 3:1132–1142.
Published
2017-11-06
How to Cite
HEINRICH, Tiago; LONGO, Felipe de Souza; OBELHEIRO, Rafael R..
Experiências com um Honeypot DNS: Caracterização e Evoluão do Tráfego Malicioso. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 292-305.
DOI: https://doi.org/10.5753/sbseg.2017.19507.
