Multivariate Solutions to Passive DNS Challenges Merike Kaeo CTO Farsight Security merike@fsi.io Agenda • Typical Passive DNS Use • Passive DNS Challenges • Multivariate Solutions • Understanding WHOIS and Geolocation • Malicious Campaigns during Public Events TYPICAL PASSIVE DNS USES How Passive DNS Normally Works • Start with a known/observed bad data point • Domain name • Nameserver • IP address/CIDR • ASN • Use Passive DNS to find other IPs or domain names that share the same resources • Leverage reputation locality but carefully review what you’ve found UNIvariate Approaches • • Use a single point of commonality as a way to identify related domains • SAME exact IP? • SAME exact nameserver? • SAME exact domain name used over time (if you are interested in the set of IPs that a name has been using) Each relies on a single attribute, exactly matched Simple pDNS Works Well When…. • Many related domains coexist on a single IP(or small CIDR block), rd with no innocent 3 party domains • Many related domains use the same set of dedicated name servers, rd with no innocent 3 party domains • The malicious user is apparently stubbornly fond of a favorite domain PASSIVE DNS CHALLENGES When Simple pDNS Does NOT Work • ZERO interrelated data points – e.g. “lone wolf” domain names, IP addresses, name servers, etc. • Too many related resources • Malicious resources are comingled with innocent rd 3 party resources Lone Wolf Scenario The cybercriminal reuses NOTHING across sites •Every IP address used to send SPAM or host content is totally unrelated to any other Ips the criminal uses •Every domain name is registered using: • A diverse assortment of registrars, one or two at a time • Unique name servers (installed and operated on unique IPs) • Unique/fictitious (or concealed) POC details • Unique (or anonymous) payment details Poorly Documented Resource Assignments • Example #1: Provider fails to document IP reassignments/reallocations in IP WHOIS or rWHOIS, and an abuser repeatedly moves (or is moved) around a single large network block, or among multiple smaller blocks. • Example #2: WHOIS POC details are concealed by a WHOIS proxy/privacy service Overcoming Obfuscation • Look for other characteristics that may not be obfuscated, or seek to strip away anonymity • Examples • If nameservers service a large number of domains, and thus are not a useful attribute to try to follow, look at the IP address(es) the bad domain is hosted on, instead. • If a domain is demonstrably engaged in phishing or other clearly illegal behavior, some privacy/proxy protection services have terms of service which allow the provider to unilaterally strip privacy protections. Overcoming Reverse Proxies • With Reverse Proxies, everything seems to “live on the reverse proxy’s IP addresses” • Carefully scrutinize non-A/non-AAAA DNS records that may be present (e.g. MX, TXT, etc) • Reverse proxy operators are also potentially a terrific target by law enforcement Performance Marketing URLs •Encoded URLs, unique to each specific recipient •Because each URL is unique to each recipient, visiting the URL (typically to investigate the site being spamvertised) means: • Confirming you've opened the message and clicked through (establishing a potential argument that you've "opted-in") • May result in you "using-up" a URL coded for one-time-use rd (try the same URL a 2nd or 3 time? It may go nowhere) • Forwarding "sanitized" spamples in complaints may yield URLs that simply don't work, or which work "misleadingly." • Forwarding "raw spamples in complaints "outs" your spam collection infrastructure and may result in "list washing.” MULTIVARIATE SOLUTIONS Points In An n-Dimensional Space • In a multivariate approach we look at more than one measurement at the same time • This allows “interactions” to be accounted for • x by itself? okay • y by itself? okay • x and y combined together? Does NOT work! • NOT combining multiple attributes into a single score, compared against a threshold (SPamAssassin style) • NOT just successive application of independent univariate filters, either A Simple Two-D Normal Distribution https://commons.wikimedia.org/wiki/File:Multivariate_normal_sample.svg The Data We Have • Currently passive DNS captures data about three main types of DNS-related entities: • Names • IPs • Name Servers • None of that is beautiful continuous data