How can we do that?
In the Advanced Persisten Threat (APT) Malware war, there are some manufacturers that are creating a new systems for fighting against APT. Today, we are going to talk about DNS Firewalls from Infoblox.
Who are Infoblox?
Infoblox is the DNS, DHCP and IPAM (DDI) market leader. These Infoblox appliances are based on Bind DNS.
"Infoblox delivers essential technology to help customers control their networks. Their patented Grid™ technology helps businesses automate complex network control functions to reduce costs and increase security and uptime. Infoblox solutions help over 6,300 enterprises and service providers in 25 countries make their networks more available, secure and automated."
The idea
Since network firewalls blacklist at the IP address level, malware change their IP addresses hourly using techniques such as “Fast flux”.
Also, since web filter work on the exact URL only, changing URLs flexibly within a domain, malware circumvents web filter.
The idea of Infoblox is to stop/redirect the callbacks connections when a infected computer do a DNS request of a known C&C Server domain.
Infoblox has some lists (they are updated frequently) wich has several registers of DNS domains that are working for Botnets Netwoks.
This is the available Malware Data Feeds for DNS Firewall from Infoblox
Infoblox advice that we can create a "view" with all Data Feeds or a maximum of three views with three data feeds. The last option could have a direct impact on the appliance performance.
What actions can we take when a related Botnet C&C Servers domain name is requested?
- Infoblox can pass and log the request.
- We can block the request denying the reply to the malicious domain request.
- We can redirect this request to our own server.
Imagine the Windows computers of your network or computers of your remote office are configured as DNS server their Active Directory. Also, this Active Directory has his DNS pointing to Infoblox. What's happen in this case?
- Infected computer is infected and want to realize a connection callback with the C&C.
- Infected computer request a C&C domain to his Active Directory.
- Active Directory hasn't this domain in cache and request the C&C domain name to Infoblox
- Infoblox detects this domain is categorizated like a malicious host and redirect this malicious IP to an IP of our own server...
- Then, we can see in the web server logs the connections from infected PC.
What's happen if we had blocked the malicious domain name?
If we had blocked this domain and logging into our syslog, we only could see the request of the our Active Directory and we can't trace the real compromised computer.
In the next post, we will talk about our experince in a producction environmet.
Until then, We give you more information.
Clic on the picture for download the Whitepaper PDF.
Oficial link
You can watch the next video in order to gather more info.
There's a free option for dns-firewall or dns-filter which is capable of detecting fast-flux or malware/botnet based on DNS protocol. It's NxFilter. Super easy to setup with many features like AD integration and policy based on user and group, block by blacklist etc.. You can download it from www.nxfilter.org
ReplyDeleteHi Jinhee!! Thanks for the advice. I'll try it.
Delete