Embed Size (px)
Citation preview
Sandeep
Discussed at WHP Local Meet
Reference: Improved network security with IP & DNS Reputation Services, A Business Whitepaper by HP Tipping Point Solutions
• Smart Work required by Security Professionalto stay ahead of malicious attacks
• Motivated Hackers using Botnets otherresources for attacks
• Low Risk of Being Caught & Prosecuted
Network Traffic Divided into three parts -
Good Traffic: trusted traffic that should pass through thenetwork, unimpeded and uninspected
Bad Traffic: traffic that should be blocked proactivelybefore it can attempt to compromise the network
Ugly Traffic: untrusted traffic that requires deep packetinspection to determine if it is “good” (legitimate) or“bad” (malicious)
• Bad Devices can be identified on IP & DNS Addressesand the traffic they spew can be blocked. These Devicesare used as:
Botnet Command and Control (CnC) sites: 5,000 to 6,000 botnet command and control sites
worldwide Botnet CnC servers constantly moving to evade
detection, block efforts from security and network personnel
Techniques used by Botnet Masters to avoid being discovered are as follows: Use of IRC, P2P and HTTP Traffic allows to bypass traditional firewalls and some IPS Security Measures
Use of Dynamic Algorithms to select CnC Servers, impossible to be blocked using Firewall ACL’s
Uses both DNS & IP Addresses for identifying CnC Servers
Identifying botnet CnC servers requires detailed botnet analysis and frequent updating of CnC lists.
Malware depots:
2,5002 to 50,0003 devices acting as malware depots or hosting malicious content discovered daily worldwide
Malware Depots: Two Types
1. Websites designed to lure victims and then infect their devices
2. Web sites of legitimate businesses that are compromised because they haven’t been properly secured.
Depots used malware drop sites, and for hosting malware software updates
Look up mechanism always DNS Address
Malware Depot Identification Process:
1. Monitoring for malware downloads and tracking their origin
2. Evaluating data hosting sites worldwide.
Phishing Sites: 50,0004 or more new phishing sites introduced to
the Internet monthly
Tow types of Phishing Sites:
1. Purpose Built sites
2. Sites that appear to be part of a known credible business
Compromised Hosts: Most commonly compromised by Bot malware
Stay under the control of a remote botnet master through botnet CnC sites
Compromised host can be used by botnet master to conduct variety of malicious attacks:
Spreading Malware
Compromising additional hosts to create more botnet devices
Performing reconnaissance scans
Providing access to local networks for further compromise
Conducting Distributed Denial of Service (DDoS) attacks
Conducting email spam or phishing campaigns
Conducting online-click fraud scams
Compromised host can be used by botnet master to conduct variety of malicious attacks (Contd..) :
Determine if a device is “behaving badly”
Block Access to and from Devices that have a known bad reputation
A need of a reputation database with significant metadata on each of these badly behaving devices—identified through IPv4 or IPv6 addresses or DNS names
A Security Research Team that can:
Collect large amounts of device data
Correlate these large data sets
Validate the results of the data sets
Provide Frequent Database updates
Assign a reputation score
The Research Team must:
Collect real-time attack events with very detailed attack data from a large worldwide community of sensors
Analyze Web traffic and crawl Web sites of interest to collect data on sites hosting malicious content or scams
Conduct careful malware analysis to identify botnet CnC sites, and botnet and malware drop sites
Analyze attacks and scams to identify the devices that are participating in or conducting the attacks
Note: The most important component in building a strong
reputation service is the depth of the database. Databasequality depends heavily on the size, scope, and distribution ofthe attack collection sites, and the quality and depth of thecollected attack data
Recommendation: HP Tipping Point IP & DNS Reputation Servicesby HP
Reference: Improved network security with IP and DNS reputation
Business white paper by HP Tipping Point Solutions
whitehat ‘People’
About whitehat ‘People’whitehat‘People’ is a an ‘open consortium’ of national intellects delved to security being the sole intent;trained and specialized in the conception of solutions in all areas of our technical consulting services.whitehat‘People’ produces white papers for the industry, present at symposiums, technology andbusiness conferences nationwide, and provide "thought leadership" for next generation technologieswhich are currently being deployed in a rapidly changing and fluid market place. The members includesecurity researchers and consultants who are up-to-date with developments in technology fromhardware and software vendors to ensure they are leading, and not following the market.Whitehat‘People’ adhere to the following ideals:1. "Help government and industry maximize the value of Information security in information technology."2. "Deliver leading-edge information technology and services, support, training and education."3. "Function as a strategic arm for the clients by leveraging new concepts to support strategic goals and conceptual plans."
![Building a Dynamic Reputation System for DNS · The Domain Name System (DNS) [12, 13] maps domain names to IP addresses, and provides a core service to applica-tions on the Internet](https://img.pdfslide.us/doc/110x75/603ac06635646e081b453175/building-a-dynamic-reputation-system-for-dns-the-domain-name-system-dns-12-13.jpg)
![14. IP - Hijacking [Envenenamiento de DNS]](https://img.pdfslide.us/doc/110x75/55cf995f550346d0339d0aeb/14-ip-hijacking-envenenamiento-de-dns.jpg)
