Documente Academic
Documente Profesional
Documente Cultură
Contents
I. Background II. Introduction of DNS Sinkhole III. How to Build up DNS Sinkhole IV. Epilogue
-1-
I. Background
Malware in Korea
Threat Level
Mal. BOT
) Phishing )
Virus
Ad/Spyware
2006
Bot
-2-
I. Background
Botnet is the Cyber Army for the Attacker
Many zombies + Strong control
-3-
-4-
Zombie C&C Resol ution
Control Syste m
Sinkhole conne ction
Internet
Zombie PCs
ISP DNS
-5-
1. Collecting BotNet C&C information 2. Applying DNS RR in ISPs DNS Server 3. BotNet monitoring and Response
-6-
-7-
2006-04-06 00:17:16 TCP 6667 2006-04-06 05:00:43 TCP 80 2006-04-06 18:58:00 TCP 80 2006-04-06 21:04:54 TCP 55166
-9-
-11-
-12-
;; Omitted ;; Server ;; @ IN
xxx.xxx.xxx.10
4. Tell the nameserver to read in the new zone f ile (Once a day)
$ rndc reconfig
-13-
Role of ISPs
Download DNS RR File (forward_black.conf) Reconfigure name server
Consideration
DNS RR should not be duplicated, otherwise Name S erver may cause error It takes 1~2 seconds for reconfiguring Name Server
-14-
-15-
-17-
-18-
IV. Effect
Bot-infected computers by country
1st 2nd half 2005 1st half 2006 2nd half 2006 A 26% C 20% C 26% 2nd B 22% A 19% A 14% 3rd C 9% B 7% D 6% 4th D 4% J 6% H 6% 5th KOREA 4% D 6% G 5% 6th E 4% H 4% B 4% 7th F 3% KOREA 3% J 4% 8th G 3% G 3% L 3% 9th H 3% K 3% K 3% 10th I 2% I 2% E 2%
-19-
V. Epilogue
Need information sharing & International Co-Response
Bot C&C
DNS Sinkhole
Sinkhole Server
-20-
V. Epilogue
Our sinkhole server is secure?
Bot Herder can detect Sinkhole
When Bot Herder detect his bots are Sinkholed, he distribut es new bot and makes another botnet Actually we met one Bot Herder in our Sinkhole network Some Bot herder do DDoS to our Sinkhole Server
-21-
V. Epilogue
Need more proactive response
Not enough just informing that you are infecte d
They said so what?
Provide tools and services so they can fix the mselves Fix the infected PCs
But we should consider our countrys law and rece ive the agreement from the user
-22-
Thank you !!
http://www.krcert.or.kr hcjung@kisa.or.kr
-23-