Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
Reporter: Jing ChiuAdviser: Yuh-Jye Lee
112/04/211 Data Mining & Machine Learning Lab
Reference Corrupted DNS Resolution Paths: The
Rise of a Malicious Resolution Authority Authors:
David Dagon, Niels Provos, Christopher P. Lee, and Wenke Lee.
Conference: Network and Distributed Security Symposium (NDSS )2008.
112/04/212 Data Mining & Machine Learning Lab
Outline Introduction Methodology Analysis Conclusion
112/04/213 Data Mining & Machine Learning Lab
Introduction DNS resolution path corruption Rogue DNS service
112/04/214 Data Mining & Machine Learning Lab
Methodology Organizing IPv4 into a series of classful addresses
Using bogons list published by Team Cymru Exclude U.S. Military and U.S. government
Design Query Pattern Blowfish(IP).parentzone.example.com
Select 600,000 resolvers 200,000 uniformly randomly from all resolvers 200,000 from resolvers overlapped with contacting
Google 200,000 from IP addresses known infected by Storm
bot Ask these resolvers to resolve 84 different
domains during 4 days112/04/215 Data Mining & Machine Learning Lab
Methodology (cont.)
112/04/216 Data Mining & Machine Learning Lab
Analysis Open resolvers found
10.4 million – late August 2007 10.5 million – early September 2007 Union of two sets: 17,365,759 634,941 – January 2006
112/04/217 Data Mining & Machine Learning Lab
Analysis (cont)
112/04/218 Data Mining & Machine Learning Lab
Analysis (cont.)
112/04/219 Data Mining & Machine Learning Lab
Analysis
112/04/2110 Data Mining & Machine Learning Lab
Conclusion DNSSEC
DNS with authority Blocking
Block the remote DNS traffic Recovery
After blocking or take down the Rogue DNS?
112/04/21Data Mining & Machine Learning Lab11
Thanks for attension Questions?
112/04/2112 Data Mining & Machine Learning Lab