FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Wednesday, January 10 • 9:30am - 10:00am
DNS Analysis at Internet Peering Points

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Summary: This talk describes cyber analysis of DNS traffic at the Internet peering points using a streaming data analysis platform and algorithms to create actionable reports in minutes. The implementation is a work in-process after a successfully field based Proof of Concept.
   Demanding a new design were the need to:
   • Keep-up with the growth of Internet peering circuits and bandwidth,
   • Increase the analysis performed on collected DNS metadata records,
   • Detect more threat indicators from DNS
   • Report the indicators in minutes with actionable information and
   • Deliver those reports to the right stakeholders.
To meet the requirement a different approach and a different architecture was need. We had good successes with a central data center in the past. But the costs of scaling that was becoming less attractive. In the existing architecture we had a DNS Collector, similar to a Netflow Collector, at all the peering points. The DNS Collector parsed DNS packets into metadata records and wrote those records into files for transport to the central repository and processing center.
We first looked at duplicating the architecture several times. Creating several data centers and load balancing the metadata over those. It would scale well but had many Operations issues and required multiple levels of analysis.
We chose to implement analytics on the network edge in the DNS Collectors. The Collector was updated to a larger server implementing a data in motion (streaming data analysis) platform with the analysis algorithms all running in parallel on separate streams. The Collector architecture went from a single data path to approximately 16 parallel data paths. Each analytical routine generates files which, after white list, block list and interest list filtering are then transported to the central repository for further analysis, selection, correlation and reporting (threat alerts).
For the production network based Proof of Concept we implemented:
   •DGA detection
   •Tunneling detection.
Key learning from our Proof of Concept.
   •More port 53 abuse than we saw before.
    -We divided these to separate file types: Junk and Malformed.
   •Found good records with small anomalies, which we created new indicators for.
   •Found a small percentage of packets that parsed as good DNS records with a few extra bytes added between legit fields in the DNS message.
   •There are a good number of applications using port 53 which are not DNS but are not malicious or threats. A whitelist was critical to mitigating the false positives.
   •Volumetric anomaly detection detection on DNS currently looks effective as 1st order indicator.

Attendees Will Learn:
Attendees will learn how they could use streaming analysis at the network edge combined with a centralized Hadoop data processing center to detect threats, malicious behaviors and anomalies with DNS and report indicators to various stakeholders and minutes.

Attendees will learn some of the security issues seen with DNS at Internet peering. They will learn about machine learning for a detection algorithm and effective training of the model. They will learn that analysis of DNS can be effective and can scale quite large. They will also learn that there are alternative to simply building a bigger data center.

avatar for Fred Stringer

Fred Stringer

Security Systems Engineer/Architect, AT&T
Fred Stringer is an Individual Contributor Engineer in the Threat Intelligence, Analysis and Response Engineering (TIARE) department in AT&T’s Chief Security Office. He is the Architect of the security data acquisition network and the System Engineer defining security analysis tools... Read More →

Wednesday January 10, 2018 9:30am - 10:00am MST
Presidio III, IV, V