Análise Passiva do Tráfego DNS da Internet Brasileira
Resumo
Este artigo apresenta o monitoramento passivo do tráfego da Internet Brasileira, onde foi possível observar anomalias que consomem os recursos computacionais que deveriam atender exclusivamente consultas válidas. Em uma análise foi constatado que aproximadamente 43% dos registros de recursos mais vistos são consultas do tipo PTR enquanto outros trabalhos relacionados ao tema indicam que o registro do tipo A é o mais frequente. O comportamento observado no tráfego da Internet Brasileira aponta atividades maliciosas como ataques de reconhecimento de rede, envio de mensagens não autorizadas (spams) e erros de configuração de zona de domínio.
Referências
Andrews, M. (1998). Negative caching of dns queries (dns ncache).
AS112 (2009). As112 project home page. http://www.as112.net/.
Bojan, Z., Nevil, B., e Duane,W. (2007). Passive monitoring of dns anomalies. In DIMVA 07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 129–139, Berlin, Heidelberg. Springer-Verlag.
Broido, A., Hyun, Y., Fomenkov, M., e Claffy, K. (2006). The windows of pivate dns updates. SIGCOMM Comput. Commun. Rev., 36(3):93–98.
Brownlee, N., Claffy, K., e Nemeth, E. (2001). Dns measurements at a root server. In Global Telecommunications Conference, 2001. GLOBECOM ’01. IEEE, volume 3, pages 1672–1676.
Castro, S., Wessels, D., Fomenkov, M., e Claffy, K. (2008). A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41–46.
Chi, Z. e Zhao, Z. (2007). Detecting and blocking malicious traffic caused by irc protocol based botnets. In NPC ’07: Proceedings of the 2007 IFIP International Conference on Network and Parallel Computing Workshops, pages 485–489, Washington, DC, USA. IEEE Computer Society.
Danzig, P. B., Obraczka, K., e Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the internet domain name system. SIGCOMM Comput. Commun. Rev., 22(4):281–292.
DITL (2008). Day in the life of the internet. March 18-19, 2008 (DITL-2008-03-18) (collection). [link]. (acesso em 2009/02/13).
DNS-OARC. Domain name system operations, analysis, and research center. https://www.dns-oarc.net/.
Eastlake 3rd, D. e Panitz, A. (1999). Reserved Top Level DNS Names. RFC 2606 (Best Current Practice).
Faltstrom, P., Hoffman, P., e Costello, A. (2003). Internationalizing domain names in applications (idna).
Gellens, R. e Klensin, J. (2006). Message Submission for Mail. RFC 4409 (Draft Standard).
Gulbrandsen, A. e Vixie, P. (1996). A DNS RR for specifying the location of services (DNS SRV). RFC 2052 (Experimental). Obsoleted by RFC 2782.
Hutzler, C., Crocker, D., Resnick, P., Allman, E., e Finch, T. (2007). Email Submission Operations: Access and Accountability Requirements. RFC 5068 (Best Current Practice).
Kalt, C. (2000). Internet Relay Chat: Client Protocol. RFC 2812 (Informational).
Klensin, J. (2001). Simple Mail Transfer Protocol. RFC 2821 (Proposed Standard). Obsoleted by RFC 5321, updated by RFC 5336.
Lee, W. e Xiang, D. (2001). Information-theoretic measures for anomaly detection. In SP ’01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 130, Washington, DC, USA. IEEE Computer Society.
Liu, C. e Albitz, P. (2006). DNS and BIND (5th Edition). O’Reilly Media, Inc.
Lyon, J. e Wong, M. (2006). Sender ID: Authenticating E-Mail. RFC 4406 (Experimental).
Microsoft (2007a). How to enable or disable dns updates in windows 2000 and in windows server 2003. Technical report, Microsoft.
Microsoft (2007b). Problems with many domain controllers with active directory integrated dns zones. Technical report, Microsoft.
Microsoft (2008). Srv resource records.
Mockapetris, P. (1987a). Domain names - concepts and facilities. RFC 1034, Internet Engineering Task Force.
Mockapetris, P. (1987b). Domain names - implementation and specification. RFC 1035, Internet Engineering Task Force.
Oberheide, J., Karir, M., e Mao, Z. M. (2007). Characterizing dark dns behavior. In DIMVA ’07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 140–156, Berlin, Heidelberg. Springer-Verlag.
Pappas, V., Xu, Z., Lu, S., Massey, D., Terzis, A., e Zhang, L. (2004). Impact of configuration errors on dns robustness. In SIGCOMM ’04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pages 319–330, New York, NY, USA. ACM.
Registro.br. Registro.br. http://www.registro.br, 2009.
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., e Lear, E. (1996). Address allocation for private internets.
Ren, P., Kristoff, J., e Gooch, B. (2006). Visualizing dns traffic. In VizSEC ’06: Proceedings of the 3rd international workshop on Visualization for computer security, pages 23–30, New York, NY, USA. ACM.
tcpdump (2008). Tcpdump - dump traffic on a network. http://www.tcpdump.org/.
Wessels, D. (2004). Is your caching resolver polluting the internet? In NetT ’04: Proceedings of the ACM SIGCOMM workshop on Network troubleshooting, pages 271–276, New York, NY, USA. ACM.
Wessels, D. (2008). Dnstop. stay on top of you dns traffic. http://dns.measurementfactory.com/tools/dnstop/.
Wessels, D. e Fomenkov, M. (2003). That’s a lot of packets. In in Proc. 2003 Passive and Active Measurements Workshop.
Wong, M. e Schlitt, W. (2006). Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408 (Experimental).
Xu, K., Zhang, Z.-L., e Bhattacharyya, S. (2005a). Profiling internet backbone traffic: behavior models and applications. In SIGCOMM ’05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, pages 169–180, New York, NY, USA. ACM.
Xu, K., Zhang, Z.-L., e Bhattacharyya, S. (2005b). Reducing unwanted traffic in a backbone network. In SRUTI’05: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, pages 2–2, Berkeley, CA, USA. USENIX Association.
Yl¨onen, T. (1996). Ssh: secure login connections over the internet. In SSYM’96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pages 4–4, Berkeley, CA, USA. USENIX Association.
AS112 (2009). As112 project home page. http://www.as112.net/.
Bojan, Z., Nevil, B., e Duane,W. (2007). Passive monitoring of dns anomalies. In DIMVA 07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 129–139, Berlin, Heidelberg. Springer-Verlag.
Broido, A., Hyun, Y., Fomenkov, M., e Claffy, K. (2006). The windows of pivate dns updates. SIGCOMM Comput. Commun. Rev., 36(3):93–98.
Brownlee, N., Claffy, K., e Nemeth, E. (2001). Dns measurements at a root server. In Global Telecommunications Conference, 2001. GLOBECOM ’01. IEEE, volume 3, pages 1672–1676.
Castro, S., Wessels, D., Fomenkov, M., e Claffy, K. (2008). A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41–46.
Chi, Z. e Zhao, Z. (2007). Detecting and blocking malicious traffic caused by irc protocol based botnets. In NPC ’07: Proceedings of the 2007 IFIP International Conference on Network and Parallel Computing Workshops, pages 485–489, Washington, DC, USA. IEEE Computer Society.
Danzig, P. B., Obraczka, K., e Kumar, A. (1992). An analysis of wide-area name server traffic: a study of the internet domain name system. SIGCOMM Comput. Commun. Rev., 22(4):281–292.
DITL (2008). Day in the life of the internet. March 18-19, 2008 (DITL-2008-03-18) (collection). [link]. (acesso em 2009/02/13).
DNS-OARC. Domain name system operations, analysis, and research center. https://www.dns-oarc.net/.
Eastlake 3rd, D. e Panitz, A. (1999). Reserved Top Level DNS Names. RFC 2606 (Best Current Practice).
Faltstrom, P., Hoffman, P., e Costello, A. (2003). Internationalizing domain names in applications (idna).
Gellens, R. e Klensin, J. (2006). Message Submission for Mail. RFC 4409 (Draft Standard).
Gulbrandsen, A. e Vixie, P. (1996). A DNS RR for specifying the location of services (DNS SRV). RFC 2052 (Experimental). Obsoleted by RFC 2782.
Hutzler, C., Crocker, D., Resnick, P., Allman, E., e Finch, T. (2007). Email Submission Operations: Access and Accountability Requirements. RFC 5068 (Best Current Practice).
Kalt, C. (2000). Internet Relay Chat: Client Protocol. RFC 2812 (Informational).
Klensin, J. (2001). Simple Mail Transfer Protocol. RFC 2821 (Proposed Standard). Obsoleted by RFC 5321, updated by RFC 5336.
Lee, W. e Xiang, D. (2001). Information-theoretic measures for anomaly detection. In SP ’01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 130, Washington, DC, USA. IEEE Computer Society.
Liu, C. e Albitz, P. (2006). DNS and BIND (5th Edition). O’Reilly Media, Inc.
Lyon, J. e Wong, M. (2006). Sender ID: Authenticating E-Mail. RFC 4406 (Experimental).
Microsoft (2007a). How to enable or disable dns updates in windows 2000 and in windows server 2003. Technical report, Microsoft.
Microsoft (2007b). Problems with many domain controllers with active directory integrated dns zones. Technical report, Microsoft.
Microsoft (2008). Srv resource records.
Mockapetris, P. (1987a). Domain names - concepts and facilities. RFC 1034, Internet Engineering Task Force.
Mockapetris, P. (1987b). Domain names - implementation and specification. RFC 1035, Internet Engineering Task Force.
Oberheide, J., Karir, M., e Mao, Z. M. (2007). Characterizing dark dns behavior. In DIMVA ’07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 140–156, Berlin, Heidelberg. Springer-Verlag.
Pappas, V., Xu, Z., Lu, S., Massey, D., Terzis, A., e Zhang, L. (2004). Impact of configuration errors on dns robustness. In SIGCOMM ’04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pages 319–330, New York, NY, USA. ACM.
Registro.br. Registro.br. http://www.registro.br, 2009.
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., e Lear, E. (1996). Address allocation for private internets.
Ren, P., Kristoff, J., e Gooch, B. (2006). Visualizing dns traffic. In VizSEC ’06: Proceedings of the 3rd international workshop on Visualization for computer security, pages 23–30, New York, NY, USA. ACM.
tcpdump (2008). Tcpdump - dump traffic on a network. http://www.tcpdump.org/.
Wessels, D. (2004). Is your caching resolver polluting the internet? In NetT ’04: Proceedings of the ACM SIGCOMM workshop on Network troubleshooting, pages 271–276, New York, NY, USA. ACM.
Wessels, D. (2008). Dnstop. stay on top of you dns traffic. http://dns.measurementfactory.com/tools/dnstop/.
Wessels, D. e Fomenkov, M. (2003). That’s a lot of packets. In in Proc. 2003 Passive and Active Measurements Workshop.
Wong, M. e Schlitt, W. (2006). Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408 (Experimental).
Xu, K., Zhang, Z.-L., e Bhattacharyya, S. (2005a). Profiling internet backbone traffic: behavior models and applications. In SIGCOMM ’05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, pages 169–180, New York, NY, USA. ACM.
Xu, K., Zhang, Z.-L., e Bhattacharyya, S. (2005b). Reducing unwanted traffic in a backbone network. In SRUTI’05: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, pages 2–2, Berkeley, CA, USA. USENIX Association.
Yl¨onen, T. (1996). Ssh: secure login connections over the internet. In SSYM’96: Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pages 4–4, Berkeley, CA, USA. USENIX Association.
Publicado
28/09/2009
Como Citar
BARBOSA, Kaio Rafael de Souza; PEREIRA, Eduardo Souto James.
Análise Passiva do Tráfego DNS da Internet Brasileira. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 9. , 2009, Campinas.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 203-216.
DOI: https://doi.org/10.5753/sbseg.2009.20633.
