DNS Rebinding Detection Technology Based on Passive DNS Data Analysis

doi:10.3969/j.issn.1671-1122.2021.03.011

Abstract

Abstract:

DNS rebinding attack based on the domain name system (DNS) can effectively bypass the homologous strategy and firewall, steal sensitive information, and control intranet devices, causing great harm to the Internet community. DNS rebinding can only be realized by setting malicious domain name. Aiming at the detection of malicious domain names related to DNS rebinding, this paper proposes a DNS rebinding classifier (DRC) based on passive DNS data analysis. By introducing passive DNS data, the domain names related to DNS rebinding are characterized from the four measure sets of domain name, time, abnormal communication and malicious behavior. Based on C4.5 decision tree, KNN, SVM and naive Bayes classification methods, the data are classified, trained and weighted. Cross validation experiments show that the accuracy of DRC model for identifying related malicious domain names can reach more than 95%. Compared with the malicious domain name detection tool FluxBuster, DRC model can identify related malicious domain names more accurately.

Key words: DNS rebinding, passive DNS, malware domain name detection, mixed classification

CLC Number:

TP309

GUO Xuanzhen, PAN Zulie, SHEN Yi, CHEN Yuanchao. DNS Rebinding Detection Technology Based on Passive DNS Data Analysis[J]. Netinfo Security, 2021, 21(3): 87-95.

Figures/Tables 11

References 20

[1]	HONG Bo, GENG Guanggang, WANG Liming, et al. System to Discover Phishing Attacks Actively Based on DNS[J]. Application Research of Computers, 2013,30(12):3771-3774.
	洪博, 耿光刚, 王利明, 等. 一种基于DNS主动检测钓鱼攻击的系统[J]. 计算机应用研究, 2013,30(12):3771-3774.
[2]	TATANG D, SUURLAND T, HOLZ T. Study of DNS Rebinding Attacks on Smart Home Devices[EB/OL]. https://www.researchgate.net/publication/335243263_Study_of_DNS_Re-bin-ding_At-tacks_on_Smart_Home_De-vices, 2020-01-20.
[3]	JACKSON C, BORTZ A, BONEH D, et al. Protecting Browser State from Web Privacy Attacks [C]//ACM. The 15th International Conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland, UK. New York: ACM, 2006: 737-744.
[4]	DAI Yunxing, RESIG R. FireDrill: Interactive DNS Rebinding [C]// USENIX. The 7th USENIX Conference on Offensive Technologies, August 13, 2013, Washington, DC, USA. Berkeley: USENIX Association, 2013: 2.
[5]	DORSEY B. Attacking Private Networks from the Internet with DNS Rebinding[EB/OL]. https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325, 2018-06-19.
[6]	Armis. DNS Rebinding Exposes Half a Billion Devices in the Enterprise[EB/OL]. https://www.armis.com/resources/iot-security-blog/dns-rebinding-exposes-half-a-billion-iot-devices-in-the-enterprise/, 2020-01-20.
[7]	F-Secure. Minikube RCE & VM Escape[EB/OL]. https://labs.f-secure.com/advisories/minikube-rce/, 2020-01-20.
[8]	ZHA Chengji. Analysis of Mobile Internet Based on DNS Log[D]. Beijing: Beijing University of Posts and Telecommunications, 2014.
	查诚吉. 基于DNS日志的移动互联网分析[D]. 北京:北京邮电大学, 2014.
[9]	TIAN Shiqi. Implementation and Traffic Analysis of DNS Traffic Collection System[D]. Beijing: Beijing University of Posts and Telecommunications, 2018.
	田世奇. DNS流量采集系统的实现与流量分析[D]. 北京:北京邮电大学, 2018.
[10]	ANTONAKAKIS M, PERDISCI R, DAGON D, et al. Building a Dynamic Reputation System for DNS [C]// USENIX. The 19th USENIX Conference on Security, August 11-13, 2010, Washington, DC, USA. Berkeley: USENIX Association, 2010: 18.
[11]	BILGE L, SEN S, BALZAROTTI D, et al. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains[J]. ACM Transactions on Information and System Security, 2014,16(4):1-28.
[12]	RAHBARINIA B, PERDISCI R, et al. Efficient and Accurate Behavior-based Tracking of Malware-control Domains in Large ISP Networks[J]. ACM Transactions on Privacy and Security, 2016,2016(19):1-31.
[13]	PERDISCI R, CORONA I, GIACINTO G. Early Detection of Malicious Flux Networks via Large-scale Passive DNS Traffic Analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(5):714-726.
[14]	ZHANG Weiwei, GONG Jian, LIU Shangdong, et al. DNS Surveillance on Backbone[J]. Journal of Software, 2017,28(9):2370-2387.
	张维维, 龚俭, 刘尚东, 等. 面向主干网的DNS流量监测[J]. 软件学报, 2017,28(9):2370-2387.
[15]	WEIMER F. Passive DNS Replication[EB/OL]. https://www.researchgate.net/publication/265577184_Passive_DNS_Replication, 2020-01-20.
[16]	FARID D M, ZHANG Li, RAHMAN C M, et al. Hybrid Decision Tree and Naive Bayes Classifiers for Multi-class Classification Tasks[J]. Expert Systems with Applications, 2014,41(4):1937-1946.
[17]	RISKIQ. RiskIQ PassiveTotal[EB/OL]. https://www.riskiq.com/products/passivetotal/, 2020-01-20.
[18]	circl. lu. CIRCL Passive DNS[EB/OL]. https://www.circl.lu/services/passive-dns/, 2020-01-20.
[19]	ZHOU Changling, CHEN Kai, GONG Xuxiao, et al. Detection of Fast-flux Domains Based on Passive DNS Analysis[J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2016,52(3):396-402.
	周昌令, 陈恺, 公绪晓, 等. 基于Passive DNS的速变域名检测[J]. 北京大学学报(自然科学版), 2016,52(3):396-402.
[20]	Alexa. The Top 500 Sites on the Web[EB/OL]. https://www.alexa.com/topsites, 2020-01-20.

种类	描述
基于时间变化	同一域名在较短时间内有多个不同IP的DNS解析报文,利用此特点进行DNS重绑定攻击,往往与速变域名相联系
基于A记录	利用从接收到的A记录中解析出的多个IP进行DNS重绑定攻击
基于插件	利用浏览器插件漏洞进行DNS重绑定攻击

正常域名	DNS重绑定相关恶意域名
容易记忆	记忆复杂
域名解析行为正常	域名解析行为异常
域名存活时间长	域名存活时间短
IP解析结果正常	IP解析返回私有IP
网页源码正常	网页源码返回恶意攻击脚本
应答报文TTL值正常	应答报文TTL值偏短

测度集	编号	特征名	描述
域名名称	1	Domain_special	特殊字符
	2	Famous_domain	与著名域名相关
	3	Malware_domain	与恶意域名相关
	4	Num_word	域名字母数量
	5	Num_digit	域名数字数量
	6	Domain_length	域名长度
异常通信	7	NS	域名解析服务器是否正常
	8	Geo_feature	地理位置信息
	9	Num_IP	解析是否对应多个IP
	10	Private_IP	是否为私有IP
时间	11	Survival_time	域名存活时间
	12	Min_TTL	最小TTL值
	13	Max_TTL	最大TTL值
	14	Change_ttl	TTL值变化次数
恶意行为	15	Abnormal_behavior	是否有异常解析行为
恶意行为	16	Flood_behavior	是否有洪泛DNS解析

算法	类别	作用	提取特征
Exposure	决策树	识别僵尸网络相关恶意域名	域名字面特征、资源记录、时间特征等18个特征
Kopis	随机森林	识别恶意域名	请求密度、解析IP声誉等23个特征
Fluxbuster	决策树	识别速变恶意域名	IP地址数量、解析行为等13个特征
DRC	混合分类算法	识别DNS重绑定相关恶意域名	域名名称、时间、异常通信和恶意行为等4个测度集的16个特征