- PowerPoint PPT Presentation

About This Presentation
Title:

Description:

... Rank Country # of bots in % 1 Russian Federation 27567 20% 2 United States 25641 18% 3 Germany 12726 9% 4 Israel 7608 5% 5 Korea 4665 3% 6 Spain 4330 3% 7 ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 18
Provided by: PAUL2212
Category:
Tags:

less

Transcript and Presenter's Notes

Title:


1
The centre of registration of domains
FAST-FLUX problem domains registrars Pavel
Khramtsov (paul_at_nic.ru) Slovenia-2009
2
DNS the most popular themes (threads)
  • Spoofing DNS servers answer substitution
    (solution DNSSEC).
  • Confiker botnet creator (solution preventive
    bulk registration)
  • Fast-flux dynamic change of the address
    resource record name/address link(solution
    UNKNOUN!!!).

3
Fast-Flux term definition
  • Fast flux refers to rapid and repeated changes
    to an Internet host (A) and/or name server (NS)
    resource record in a DNS zone, which have the
    effect of rapidly changing the location (IP
    address) to which the domain name of an A or NS
    resolves.
  • Fast flux attack networks are robust, resource
    obfuscating service delivery infrastructures.
    Such infrastructures make it difficult for system
    administrators and law enforcement agents to shut
    down active scams and identify the criminals
    operating them.

4
DNS Web
5
DNS Web in detail
ROOT
3. .ru NS ns2.ripn.net
2. Site.ru A ?
Ns2.ripn.net
4. Site.ru A ?
5. .site.ru NS n1.site.ru
Ns1.site.ru
6. Site.ru A ?
7. Site.ru TTL A 194.32.33.1
6
Reverse proxy using
Source server
7
Reverse proxy using botnets
It is a small TTL that permits fast A records
changing
Botnet
Hidden content server
A set of the hosts routed throw varied AS
8
Fast-flux fingerprints
  • multiple IPs per NS spanning multiple ASNs,
  • frequent NS changes,
  • in-addrs.arpa or IPs lying within consumer
    broadband allocation blocks,
  • domain name age,
  • poor quality WHOIS,
  • determination that the nginx proxy is running on
    the addressed machine nginx is commonly used to
    hide/proxy illegal web servers,
  • the domain name is one of possibly many domain
    names under the name of a registrant whose domain
    administration account has been compromised, and
    the attacker has altered domain name information
    without authorization.

9
Top-10 Botnet countries
(http//dnsbl.abuse.ch/statistic/fastflux.php -
19/04/2009)
Rank Country of bots in
1 Russian Federation 27567 20
2 United States 25641 18
3 Germany 12726 9
4 Israel 7608 5
5 Korea 4665 3
6 Spain 4330 3
7 United Kingdom 3689 3
8 Italy 3396 2
9 France 3122 2
10 Romania 2830 2
- other 43224 31
10
Russian AS bots
(http//dnsbl.abuse.ch/statistic/fastflux.php -
19/04/2009)
Rank AS number AS name of bots
1 8402 CORBINA-AS Corbina Telecom 10'204
2 8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System 3'832
3 8615 CNT-AS CNT Autonomous System 3'429
4 12695 DINET-AS Digital Network JSC 936
5 42011 TRCODINTSOVO-AS TRC Odintsovo 909
6 12714 TI-AS NetByNet Holding 765
7 30784 ISKRATELECOM-AS Iskratelecom Autonomous System 622
8 25405 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod 525
9 6828 USI Uralsviazinform 390
10 42754 AROMA-LESK-AS Aroma Lesk Ltd. 352
11
ccTLD Bots
( ICANN WG report 06.08.2009, Source Arbor, 2008)
Rank Zone Fast-flux Domains Fast-flux domains per 10000
1 .SU 52 68891 7,55
2 .CN 6393 12364615 5,17
3 .BZ 14 43500 3,22
4 .COM 16818 78191881 2,15
5 .RU 155 1535153 1,01
12
Our research method
  • Select all distinct domain names from the log of
    the DNS-server. Itd be better to take log of an
    authoritative server of the zone.
  • Test this list against DNS to obtain TTL
    IP-address for each domain name few times (100
    times for example).
  • Focus on the names with TTL lt 1000 multiple Ips
  • Take away from the list Google, Yandex,

Then
13
Our research method
  • We received Geography and AS distribution for
    each domain from the list.
  • We received intersection with the providers
    access pools for each Domain.

It is high probability that fast-flux domain
has Geographic distribution AS distribution of
its IPs set and belongs to the providers access
pool.
14
Our research results
Summary results
Description Value
Number of the domains with TTL lt 1000 multiple IPs 1633
Number of the second level domains with TTL lt 1000 multiple IPs 522
Number of the nnn.ru domains with TTL lt 1000 multiple IPs 312
Number of the domain names pointing to the end user access pools including Geographic Distribution AS Distribution 1287 398 743
15
Our research results
Top-5 domains
Domain Queries
ns6.b6f.ru 2352598
Ns1.ut9.ru (Zimbra server) 246873
ns2.Ew0.ru (Zimbra server) 244035
NS3.wAntdrOOl.ru 117990
Ns1.wEbshopmAG.ru 96833
Another tipical name wnacsspa1j4i.odnoklassniki.x
8m.ru.
16
Our research results
Top-5 Countries
Country Domains
Germany 350
France 349
Poland 40
Netherland 34
Taiwan 32
17
Our research results
Russian AS names end user access pools
AS name Domains
AGAVA 347
Unknown 1
INAR-VOLOGDA-AS 1
RINET-AS 1
18
Our research results
Registrars end user access pools
Russian registrar (dif.Regions) Domains
NAUNET-REG-RIPN 98
REGRU-REG-RIPN 102
REGTIME-REG-RIPN 183
RIPN-REG-RIPN 1
19
Conclusions
  1. TTL multiple IPs are enough for crude
    estimation
  2. Domain names IPs und user access pool
    intersection gives us more precious detection
  3. Geographic AS improve detection

20
????????
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!