anomaly-based behavior analysis of dns trafficdns security issues. the dns (domain name system) is...
TRANSCRIPT
Anomaly-based Behavior
Analysis of DNS traffic
Hamid Alipour , Salim Hariri,
Youssif Al-Nashif
NSF Center for Cloud and
Autonomic Computing
The University of Arizona
nsfcac.arizona.edu
Cloud Computing
Domain Name System
DNS Message Format
Query
Response
Weak Authentication
•A: Address
•NS: Name Server
•SOA: Start Of Authority
•MX: Mail eXchange
•CNAME: Canonical NAME
•PTR: domain name PoinTeR
• …
Header
Query:
Response:
Query-Response Relation
– Same Port
– Same ID
– Same Question section
DNS Security Issues.The DNS (Domain Name System) is one of the core services inthe Internet that serves to many other internet services (Web,email, VOIP)
There are other services that use Domain Names as theirauthentication mechanism (e.g. Berkeley r-commands, VOIP) andthus can also be affect by DNS attacks.
We use still the system which was designed in 80th. Since in the80th, performance of the DNS protocol was very important,security issues were completely ignored. However, security wasnot a big deal in the 80th as it is today.
DNS threats are growing. Some important ones are DNS CachePoisoning, DNS amplification and … .
DNS Cache PoisoningStep1— Bad guy sends a DNS query
to the Victim NS.
Steps 2a,3,4,5,6,7— The normal
Iterative name resolution by the Victim
NS.
Step2b — Bad guy starts flooding the
victim with forged DNS reply packets. If
one of the flooded packets hits the QID
before original response(step 5). The
Victim NS Will cache it. (cache is
poisoned !!!!)
Root
ns1.target.com
www.target.com
Victim NS
.Com
Bad Guy
fake.target.com
2a
2b
4
6
3
5
7
1 ID:900, target.com?, Q(A)
ID:1000, Ask .com, R(NS)
ID:1001, Ask ns1.target.com, R(NS)
10.10.10.10
8 ID:900, 10.10.10.10, R(A)
Q(A)Q(A)R(NS) Q(NS) R(NS) Q(A)R(A)R(A)
Q(A)Q(A) R(NS) Q(NS) R(NS) Q(A)R(A)R(A)R(A)R(A)R(A)
ID:1000, target.com?, Q(A)
ID:1001, target.com?, Q(A)
ID:1002, target.com?, Q(A)
ID:1002, 20.20.20.1, R(A)
ID:2002, R(A)
ID:1002, R(A)
ID:4040, R(A)
Success!!!
Cache
Poisoned
Attacker should hit the ID
DNS Amplification
Step1— Signal the hired
BotNet
Step2— BotNets will
send the same query to a
recursive NS while
spoofing the Victim IP as
source IP.
Steps3,4,5,6,7,8— The
NS will resolve the
queried name.
Step9— the NS will
respond all the queries to
the Victim server.
DNS Security Solutions
Secure Protocol• DNSSEC
• 0x20-bit encoding
• WSEC
• DNSCurve
Intrusion Detection/Prevention System
DNS Behavior Analysis
DNS Behavior Anomaly Detection
Cache Poisoning Example
Anomaly Score Distribution
We used 7 days of normal traffic as well as 30 minutes of burst attack traffic to compute the anomaly score distribution for each traffic classWith anomaly threshold between 10 to 50 the normal and abnormal classes can be easily differentiated.
How much training is needed?
Because after 7 days the ratio of new n-grams in normal trafficis stable and low, we can expect a well trained model.
Detection and false positive
ROC curve comparing different n-grams
(Trained and tested on the same deployment site)
ROC curve for different n-grams
(Trained on DNS-CAC and tested on DARPA99)
Conclusion
DNS protocol shows a sequential behavior
Using 7-grams we could detect different DNS
attacks with high accuracy with less than 0.1%
false positive.
Trying to build a more comprehensive model
which can be deployed in different sites by just
one time training.