Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the characteristics of DNS testing and the installation and use of BotDAD". In the daily operation, I believe that many people have doubts about the characteristics of DNS testing and the installation and use of BotDAD. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about the characteristics of DNS testing and the installation and use of BotDAD. Next, please follow the editor to study!

I. covert communication based on DNS

Enterprise networks are often threatened by network attackers stealing valuable and sensitive data. Sophisticated attackers are increasingly using DNS channels to leak data and to maintain tunnel ClearC (command and control) communications for malware. This is because DNS is such an important service for almost all applications, any communication from the local computer to Internet (excluding static IP-based traffic) depends on DNS services, and restricting DNS traffic may result in the disconnection of legitimate remote services, so corporate firewalls are typically configured to allow all packets on UDP port 53 (used by DNS) That is, DNS traffic is usually allowed to pass through the corporate firewall without in-depth inspection or state maintenance. From the attacker's point of view, this makes the DNS protocol a covert communication channel for data leakage.

One way for an attacker to take advantage of DNS is to register a domain name (for example, fengrou2019.club) so that malware in the host victim can encode valuable private information (such as credit card numbers, login passwords, or intellectual property rights) as DNS requests in the form of arbitrary-string.fengrou2019.club. This DNS request is forwarded by the parser in the global domain name system to the authoritative server in the Fengrou2019.club domain (under the control of the attacker), which in turn sends a response to the host victim. This provides the attacker with a low-speed but covert two-way communication channel between the primary victim and his command and control center. As shown in the figure is the flow chart of Bot returning the secret information after obtaining the control command.

DNS's ability to penetrate the firewall provides an attacker with a covert channel, albeit at a low speed, through which private data can be leaked and communication with malware maintained by tunneling other protocols (for example, SSH,FTP) to the command and control center. Modern malware and network attacks rely heavily on DNS services, making their activities reliable and difficult to track. For example, remote access Trojan DNSMessenger discovered in 2017 uses DNS queries and responses to execute malicious PowerShell commands on infected hosts.

2. DNS detection

Monitoring network DNS activity and blocking suspicious domains have been proved to be effective techniques against such attacks. For analyzing DNS traffic to identify malicious network activity, many detection methods have been proposed, such as DNS tunnel detection using character frequency analysis.

For any organization to counter a variety of security threats, a single point of Bot detection at the enterprise level is critical. BotDAD, a DNS detection tool to be introduced in this paper, is deployed on the network boundary of an enterprise to detect a single point of Bot. By observing the DNS fingerprint of the host over a period of time, it tries to find the abnormal behavior of the host with normal domain behavior, so as to identify the infected host.

Taking BotDAD tool as an example, this paper will analyze the technology of DNS detection of BotDAD.

1. DNS detection feature

The behavioral characteristics of 15 kinds of DNS were statistically analyzed in BotDAD, as follows:

The serial number DNS feature describes the number of p1 DNS requests per hour

Infected zombie hosts tend to have more requests per hour than normal hosts.

P2 different DNS requests per hour

Hosts infected with DGA malware tend to have more different requests than ordinary hosts.

P3 maximum number of requests for a single domain

Helps detect DNS tunnels, and sensitive information is transmitted over the DNS protocol.

P4 average requests per minute

Used to detect malware-infected computers that do not use brief DNS requests, but instead use sleep intervals to periodically contribute to DNS requests.

It is calculated by dividing the number of requests sent by the host by the duration that the host is active and using the DNS service.

P5 maximum requests per minute

Helps detect zombies that are infected with malware that uses multiple URL generated by domain generation algorithms to communicate with Crunc servers using brief DNS requests.

Number of p6MX record queries

It is a powerful indicator of spam-based botnets in the network.

The number of p7PTR records (one record from ip address to domain name) queried

It helps to detect hosts with abnormal behavior in the network and possible infections.

Number of different DNS servers queried by p8

It helps to detect machines with abnormal behavior in the network, because it is not common for standard systems to query multiple DNS servers.

TLD: top level domain, top-level domain name

SLD: second level domain, second-level domain name

P9 number of different TLD requests

It is very effective in detecting DGA-based robots, which generate not only random domains with different secondary domains, but also random domains with different top-level domain names.

P10 number of different SLD requests

It is a strong indication of the existence of DGA-based robots in the network.

P11 uniqueness ratio

This is the ratio of the number of requests sent to the number of different requests sent under the assumption that the host sends at least 1000 requests per hour.

Number of p12Failed/NXDOMAIN requests

It is a very strong indicator of host infection in the network.

It maintains that the response code is equal to the number of responses of DNS_RCODE_NXDOMAIN through the host.

P13 number of different cities with resolved IP addr

Is a strong anomaly indicator, especially when IP addresses are distributed across cities.

Use the Maxmind database ("Geo2 Databases | MaxMi,2017") to get the IP address of the city map.

P14 number of ip addresses resolved in different countries

P15Flux ratio

Under the condition that the host sends at least 100 queries and has received at least 100 responses, the ratio of different requests sent to different ip addresses resolved.

Through the source code analysis of BotDAD work, the core classes and core functions are found, in which the above 15 DNS features are used.

Core class: BotDAD/DnsAnalyser.py/classs Network

Core function: BotDAD/DnsAnalyser.py/classs Network/find_anomaly ()

Installation and use of 2.BotDAD

2.1 installation:

Dependent on python version: python2.7

System environment: windows

Pre-installation:

2.2 dataset preparation:

BotDAD provides three ways to prepare a dataset:

2.2.1 grabbing, filtering, slicing

(1) use wireshark to grab packages

(2) packet filtering command

Tshark.exe-r "input.pcap"-F pcap-Y dns-t ad-w "big.pcap" # windows

Or

Tshark-r "input.pcap"-F pcap-Y dns-t ad-w "big.pcap" # linux

(3) slice command

Editcap.exe-F pcap-I 3600 "big.pcap"slice.pcap" # windows

Or

Editcap-F pcap-I 3600 "big.pcap"slice.pcap" # linux

2.2.2 Direct availability: 20160421_150521.pcap

Provided by Manmeet Singh (author of BotDAD paper), it can be used directly.

Link: https://drive.google.com/file/d/14cRY6aEQz_xVsfySBb4Ik6mPYDLoIc88/view?usp=sharing

2.2.3 Direct availability: campus DNS network traffic

The dataset is provided by the author of the BotDAD paper.

Between April and May 2016, campus DNS network traffic made up of more than 4000 active users (during peak load hours) was 10 random days, available in hourly PCAP files in the dataset.

(currently, only Day0 (Full) and Day1 (partial) traffic can be uploaded due to 10GB data restrictions.

The dataset link is: https://data.mendeley.com/datasets/zh4wnddzxy/1

2.3 pre-use problems and solutions:

2.3.1 package Import problem

After downloading, try to run main.py directly and encounter a problem:

Because the problem occurs in pcapparser.py, and in BotDAD open source projects, the PcapParser.pyc file is published, so pyc decompilation is required. This article uses uncompyle to implement decompilation.

The PcapParser.py is decompiled and verified using the python2 command line environment, and the problem is found here:

2.3.2 problem solving

Look at win-inet-pton 's API and find that the method of using inet_ntop provided in it is not quite the same as that in the code.

Retrieve where the inet_ntop appears in the decompiled PcapParser.py code and find only two places:

One is where the file is imported:

The other usage is actually the same as that provided in win-inet-pton 's API:

So I try to modify the PcapParser.py code here, and then use PcapParser.py instead of PcapParser.py to run BotDAD:

Before modification, the import method of the original inet_ntop:

After modification, you can import win_inet_pton directly:

After completing the replacement, run main.py, as shown in the figure, successfully, and solve the problem:

As soon as you start running, you first generate three files in the directory above main.py:

It takes a long time to execute console >, about 7 minutes.

2.4 use of BotDAD

The commands used by BotDAD are summarized as follows:

2.4.1l command

I use the l command here, and the host list contains 571 hosts.

2.4.2 m command

Enter an IP address in the host list, no return, and generate a file in the same level directory of main.py:

2.4.3 p command

Generate an image, plot DNS query timeline:

2.4.4 dbat D command

The number that appears after the host IP corresponds to the number in the last column of the host list.

The D command is to save the d display part.

Use the D command:

2.4.5 h command

The process of saving may be slow.

After a long time:

Generate the html file in the directory one level above main.py:

2.4.6x command

.csv: comma separated values file format.

Generate the .pcap.csv file in the directory one level above main.py:

2.4.7 F command

Many hosts are listed, indicating that there are a large number of hosts requesting www.google.com.

Find a special URL that corresponds to the data in the screenshot in the previous d command:

2.4.8 f command

2.4.9 Q command

At this point, the study on "the characteristics of DNS detection and the installation and use of BotDAD" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.