27-04-2011, 09:44 AM
Presented by:
Pratik Jain
[attachment=12890]
Keywords:
1) IP Spoofing Attack-
• A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
2) IP Traceback-
• Allows victim to identify the origin of attackers
• Several approaches
-ICMP
-Packet Marking
-Hashbased Traceback
-Using DNS Logs against Bots(proposed)
3) DNS Logs-
• It contains a list of IP addresses of host machines.
4)Bots-
• A remote-controlled software program that acts as an agent for a user.
• Bots can be doing clandestine things even when the computer owner thinks the computer is inactive.
5) Command & Control Server(C&C Server)-
• It is a special kind of server that controls the bot infected hosts.
1.INTRODUCTION
• Source IP spoofing attacks are sent from bot infected hosts that are controlled via command and control (C&C) servers.
• IP can be tracked against bots using DNS query logs that can be output from conventional DNS servers.
• Because many types of bot retrieve IP addresses from the FQDNs of the victim at the beginning of communication, we can track the bots from the DNS query logs.
• The proposed scheme checks from the destination DNS to the source DNS (generally called a resolver) logs, in order to extract the IP addresses of the bots.
2.INVESTIGATION OF BOT COMMUNICATION PATTERN
• Bot is controlled by C&C servers and sends attack packets to the victim hosts.
• We have collected 44 kinds of bot code using the honeypot and infected a virtual machine. 37 kinds of bot communicated with outside hosts, while the 7 kinds of bot were not active on the virtual machine.
• Fig 1 shows a bot communication pattern whereby DNS queries are extracted between the bot and the primary DNS server .
• The bot sent recursive DNS queries that retrieved 4 kinds of FQDN, which included both the victim hosts and the C&C servers.
• Figure 2 shows an example of a DNS query pattern from a spam-mail bot. The spam-mail bot turned into a DNS resolver and sent DNS queries to retrieve the MX records of each domain.
• Fig 3 shows a screen shot of the communication pattern visualizer that depicts the communication pattern between the bot and the DNS servers shown in Figure 2.
• The spam-mail bot accessed many domain DNS servers in order to retrieve the MX records.
• 29 kinds of bot sent DNS queries in order to resolve the IP addresses of the victim hosts, while all 37 kinds of bot sent DNS queries to resolve the IP addresses of the C&C servers.
• Following the DNS queries, the bot communicates with the victim hosts and the C&C servers.
3.IP TRACEBACK USING DNS LOGS AGAINST BOTS
Assumption- The attacker retrieves IP address from the DNS server before sending spoofing packets.
A. Review of the DNS Query Model:-
As shown in fig 4, the source host sends a recursive query packet to a source DNS server in order to retrieve the IP address of the FQDN.
The source DNS server will be a resolver and resolves the FQDN by retrieving a DNS tree.
Figure 5 shows an example of the source DNS log. The log records the IP address of the source host linked with the destination FQDN.
B. IP Traceback for Regular Recursive DNS Query:-
We propose an IP tracking scheme that cooperates the source DNS server with the destination DNS server shown in Figures 6 .
Tags “I,…,IV” represent the same procedures as shown in Figure 4, while the proposed IP tracking procedures are as in fig 6.
C. IP Traceback for Forwarding DNS Query:-
Several source DNS servers are configured for DNS forwarding . A forwarder DNS server for the source DNS server will be a DNS resolver.
In this case, the DNS query log of the destination DNS server records the IP address of the forwarder DNS server instead of the source DNS server. Thus, there is a need to track additional hops to the source DNS server. Figure 8 shows the tracking model using three DNS server logs.
4.EVALUATION
A. End-to-End Tracking Success Rate:-
In conventional IP tracking scheme, the end to end tracking success rate is calculated as the power of the success rate per hop .
In the proposed IP tracking scheme, the end-to-end tracking success rate is calculated as the square of the success rate per hop times the DNS query rate of the bot.
Figure 12 shows end-to- end tracking success rate versus the tracking hop length. Here, the success rate per hop is p=0.9.
The end-to-end tracking success rate of the conventional scheme decreases quickly, because the rate is followed by the power of the success rate per hop.
On the other hand, the end-to-end tracking success rates of the proposed scheme are constant values at more than 2 hops. At the 15 hops, the end-to-end tracking rates of the conventional scheme, the proposal of the DNS query rate = 0.55, and the proposal of the DNS query rate = 1.00 are about 0.20, 0.45, and 0.81, respectively