Trapping Botnets by DNS failure graphs: Validation, Extension and Application to a
3G Network
Arian Bär, Antonio Paciello, Peter Romirer-MaierhoferTelecommunications Research Center Vienna (FTW)
Contact: [email protected]
- 2 -© FTW 2012
Recent Botnet attacks
Dec. 2012 – Eurograbber Bot steals € 36 Million– Infects PCs and Smartphones, modified version of Zeus
Mar. 2013 – Attack on Spamhouse– Up to 300Gbps incoming traffic, using DNS reflection
Apr. 2013 – Attack on WordPress– 90k distinct IP adresses, approx. 100k Bots
Very common application: Email Spam
Do we have bots in our network?
- 3 -© FTW 2012
Botnet Introduction
Zombie
Zombie
Zombie
- 4 -© FTW 2012
Botnet Introduction
BotmasterZombie
Zombie
Zombie
- 5 -© FTW 2012
Botnet Introduction
Internet
BotmasterZombie
Zombie
Zombie
- 6 -© FTW 2012
Botnet Introduction
Internet
9.9.9.9
- 7 -© FTW 2012
Botnet Introduction
Internet
9.9.9.9
- 8 -© FTW 2012
Botnet Introduction
Internet
9.9.9.9
- 9 -© FTW 2012
Botnet Introduction
Internet
evil-botnet.com
- 10 -© FTW 2012
Botnet Introduction
Internet
evil-botnet.com
- 11 -© FTW 2012
Botnet Introduction
Internet
hasdaflv.orgfjruswfx.orgeufoewui.orgpqcfedte.org
- 12 -© FTW 2012
Botnet Introduction
Internet
pqcfedte.org hasdaflv.orgfjruswfx.orgeufoewui.orgpqcfedte.org
- 13 -© FTW 2012
Problem Description and Data
Mobile networks are very attractive for botnets– Always-on mobile devices with high computational capabilities
Mobile network specific threats– Cell/Core overload– Network specific attacks (e.g. malicious calls)– Steal critical information (e.g. mobile TAN)
Data from a major European mobile operator– Serving hundreds of thousands of hosts– 83 days analyzed for botnet tracking– Provides stable anonymized Mobile Station IDentifier (MSID)
- 14 -© FTW 2012
Our Approach
DNS failure graph analysis– Graph formed by hosts requesting non-existing domain names
– Target: Find botnets using Domain Generation Algorithms (DGA)– Based on methods presented by Jiang et al. (*)
(*) Nan Jiang, Jin Cao, Yu Jin, L.E. Li, and Zhi-Li Zhang. Identifying suspicious activities through DNS failure graph nalysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144 –153, October 2010.
yotube.comfacebook.coniluysad.orgkjnnwwx.org
- 15 -© FTW 2012
Our Approach
DNS failure graph analysis– Graph formed by hosts requesting non-existing domain names
– Target: Find botnets using Domain Generation Algorithms (DGA)– Based on methods presented by Jiang et al. (*)
(*) Nan Jiang, Jin Cao, Yu Jin, L.E. Li, and Zhi-Li Zhang. Identifying suspicious activities through DNS failure graph nalysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144 –153, October 2010.
yotube.comfacebook.coniluysad.orgkjnnwwx.org
- 16 -© FTW 2012
Adjacency Matrix of Failed DNS Queries
- 17 -© FTW 2012
Hamming Distance Reordering
1 1 1
0 0 1
1 0 1Original Matrix Re-ordered Matrix
- 18 -© FTW 2012
Hamming Distance Reordering
1
1
1
1 1 1
0 0 1
1 0 1Original Matrix Re-ordered Matrix
- 19 -© FTW 2012
Hamming Distance Reordering
1 1
1 0
1 1
1 1 1
0 0 1
1 0 1Original Matrix Re-ordered Matrix
- 20 -© FTW 2012
Hamming Distance Reordering
1 1 1
1 0 0
1 1 0
1 1 1
0 0 1
1 0 1Original Matrix Re-ordered Matrix
- 21 -© FTW 2012
Hamming Distance Reordering
1 1 1
1 0 0
1 1 0
1 1 1
0 0 1
1 0 1Original Matrix Re-ordered Matrix
Apply the same for rows
- 22 -© FTW 2012
Approach: Adjacency Matrix Reordering
Matrix reordering according to hamming distance
X and Y axis are re-ordered separately
- 23 -© FTW 2012
Approache: Cluster Identification
Zoom reveals clusters of hosts and Domain names
Identify clusters by DBSCAN Clustering
Are all those clusters caused by botnets?
Clusters
- 24 -© FTW 2012
Found Clusters
Top 5 identified Clusters in one day
- 25 -© FTW 2012
Found Clusters
Top 5 identified Clusters in one day
Tracking Clusters– By active suspicious domain names requested by cluster K– Utilizing stable MSID
- 26 -© FTW 2012
Cluster A (Conficker)
- 27 -© FTW 2012
Cluster B (tang0-hote1.com)
- 28 -© FTW 2012
Conclusion
We identified bots in a 3G mobile network
Our Approach: Stable MSID – Robust to IP churn– Allows tracking of botnet size over long periods of time– Reveals posible much larger botnet size (up-to 6 times)
We speculate that botnets are larger than reported by current botnet trackers
- 29 -© FTW 2012
Outlook
Study impact of IP churn– Compare number of different IPs with MSIDs
Combine results from different networks– Combine data from different data sources– If a name is suspicious in two networks it is more suspicious
Combined with active domain name analysis– e.g. with the approach presented by Andreas Berger
- 31 -© FTW 2012
Backup - Slides
- 32 -© FTW 2012
System Overview
- 33 -© FTW 2012
Cluster Tracking
Track clusters by active domain names
Domain Cluster Ratio (DCR)– Was the name mainly requested by cluster K?
Cluster Internal Ratio (CIR)– How common was it in cluster K?
Find domains mainly requested by hosts of a cluster
Tracking was applied to two largest clusters– Cluster A (Conficker) tracked over 14 days– Cluster B (tang0-hote1.com) tracked over 83 days
- 34 -© FTW 2012
Analyzing Found Clusters
Sort Clusters by distinct Second Level Domains (SLD)
– SLD(D(K)) - number of distinct SLD for Cluster K– D(K) - number of Domains of Cluster K
Top 5 Clusters according to
- 35 -© FTW 2012
Analyzing Found Clusters
Sort Clusters by distinct Second Level Domains (SLD)
– SLD(D(K)) - number of distinct SLD for Cluster K– D(K) - number of Domains of Cluster K
Top 5 Clusters according to
- 36 -© FTW 2012
Cluster A (Conficker)
- 37 -© FTW 2012
Outline
Why do we need this
Mobile network data
DNS filtering and labeling
Clustering queries
Describe found clusters
Explain Churn
Show Tracking
Summary
- 38 -© FTW 2012
Effect of IP churn
Previous approaches– Botnet tracking uses IPs to estimate the total size of the botnet– Many ISPs assign dynamic IPs to hosts (i.e. IP adresses may be
shared among different hosts)
Our Approach: Stable MSID – Reveal much larger botnet size (up-to 6 times)– Botnets might by larger than expected– Allows tracking of botnet size over long periods of time
We speculate that botnets are larger than reported by current botnet trackers
- 39 -© FTW 2012
Conclusion
Validatation of the Approach of Jiang et al.
Applied to a larger 3G network
Extended by a efficient DBSCAN cluster identification
5 Clusters of suspicious hosts analyzed
2 Clusters tracked over long time
Our study indicates a much larger botnet size