rush hour
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
\chapter{Abuse of Domain Names}
|
||||
\label{cha:abuse_of_domain_names}
|
||||
|
||||
The \gls{dns} makes it easy to browse the internet with human readable domain names. It adds an extra layer to the TCP/IP model that allows administrators to reliably maintain services, especially for large applications which are served by many servers in different locations. Using techniques like round robin \gls{dns} enables efficient use of multiple machines, decreases access time for different users and enhances availability if single nodes in the machine cluster fail. Although this led to the described advantages it can also be used by malicious applications. In this work three major types of misuse of domain names are taken into account.
|
||||
The \gls{dns} makes it easy to browse the internet with human readable domain names. It adds an extra layer to the TCP/IP model that allows administrators to reliably maintain services, especially for large applications which are served by many servers in different locations. Using techniques like round robin \gls{dns} enables efficient use of multiple machines, decreases access time for different users and enhances availability if single nodes in the machine cluster fail. Although this led to the described advantages it can also be used by malicious applications. In this work three major types of domain name misuses are taken into account.
|
||||
|
||||
|
||||
\section{Malware}
|
||||
@@ -11,22 +11,6 @@ On May 12th 2017, British security researchers discovered a malware which was sp
|
||||
|
||||
This case shows an example of how domains can be used by attackers to control their software. Usually domains are more often used to connect to command and control servers or to communicate with other infected machines (see Section~\ref{sec:botnets}). To infect a machine, attackers often use so called \textit{droppers} or \textit{injectors} that do not ship the malicious code in the first hand but that are little programs to download further source code or binaries that contain the harming functionality. It is much easier for malware authors to use domains for this purpose instead of hard coding the IP addresses for many reasons: If machines that serve the down-loadable content are e.g. confiscated by the police or taken down for other reasons, domains can simply be pointed to a redundant server and such minimizing slow downs in the distribution of the malware. Reliable endpoints are also used to maintain the malicious software and load additional code. As domains are comparably cheap (starting at a few cents per year compared to at least \$ 10 for a dedicated IPv4 address a year), attackers can build a pool of many domains and such compensate take downs of some domain names. This could possibly change when IPv6 is widely adopted (with IPv6 addresses being much cheaper) but according to statistics of Google, only about 20\% of worldwide users accessing google where IPv6 enabled (natively or using IPv6 to IPv4 bridges) \fsCite{googlecom_ipv6adoption}. This imposes the usage of IPv6 as the primary protocol in malware for obvious reasons.
|
||||
|
||||
\todo{add somewhere here}
|
||||
techniques like:
|
||||
fast flux networks, domain flux networks, domain generation algorithm
|
||||
|
||||
((
|
||||
Examples of malware that make use of such DGAs are Kraken/Bobax, the Srizbi bots and the Conficker worm
|
||||
|
||||
|
||||
))
|
||||
|
||||
\subsection{Countermeasures}
|
||||
\label{subsec:countermeasures}
|
||||
|
||||
\todo{see kopis section 2 end, DNS blacklisting etc}
|
||||
|
||||
|
||||
|
||||
\section{Phishing}
|
||||
\label{sec:phishing}
|
||||
@@ -40,16 +24,9 @@ Phishing describes malicious activities where attackers try to steal private inf
|
||||
|
||||
A Botnet is a network of mostly computers infected with malicious software and controlled as a group without the owners' knowledge under the remote control of a human operator called bot master or bot herder. Each infected machine is called a Bot; and similar to how robots are acting independently commanded by human operators, every node in the Botnet is performing actions as instructed by the Botmaster. Botnets are mostly used for sending spam emails and running \gls{ddos} attacks.
|
||||
|
||||
To understand how botnets can be detected, mainly considering how botnets make use of domain names, some basic concepts have to be introduced:
|
||||
|
||||
\subsection{Distribution}
|
||||
\label{subsec:distribution}
|
||||
\subsection{Fast-Flux service networks}
|
||||
\label{subsec:fast-flux_service_networks}
|
||||
|
||||
|
||||
|
||||
|
||||
\subsection{Architecture}
|
||||
\label{subsec:architecture}
|
||||
|
||||
|
||||
\subsection{Discovery}
|
||||
\label{subsec:botnets_discovery}
|
||||
Fast-Flux service network is a technique, for example often used to serve illegal web pages or in botnets (\fsCite{nazario2008net}), to hide the actual location of core components like command and control servers (C\&C servers is used as an example here). Using DNS round robin which helps e.g. legitimate services to reduce downtimes when a single node fails, command and control servers are hidden behind groups of bots which are acting as proxies and are accessible by a domain name. As botnets usually contain a large number of bots, these proxies can quickly be changed and leave no trace back to the actual C\&C server. To be able to quickly change the hiding proxy, the time to live of the domain names to those proxies has to be set to a low value. This is one characteristic that can be used to distinguish legitimate from malicious services. Domain-Flux networks are the successor of Fast-Flux service networks and in addition do use dynamic domains for the proxies. Domain-Flux networks use changing domain names for the proxies that hide the location of core components in the botnet. For this method to work properly, all bots in the botnet do have to know under which domain the C\&C server is reachable. To be able to communicate with the C\&C server, the bot first generates the currently valid domain name (e.g. based on time) and afterwards is able to send data through the proxy to the command and control server. Some examples for malware that uses DGAs are the Srizbi botnet, the Conficker worm and the GameOver Zeus botnet. One major difference of algorithmically generated domains in contrast to legitimate domains is that they usually contain more numbers and fewer/no human readable words.
|
||||
|
||||
Reference in New Issue
Block a user