Using Passive DNS to Fight Cybercrime
Going after bad guys can lead to unintended Internet collateral damage, but Paul Vixie has some ideas on limiting the risk with DNS.
When law enforcement swoops in to shut down the operations of an online criminal organization, there can sometimes be unintended consequences and unnecessary collateral damage -- but it doesn't have to be that way.
At last week's Black Hat USA conference Paul Vixie, DNS luminary and CEO of Farsight Security, detailed how passive DNS technology can help law enforcement with more targeted takedown efforts. In an interview with eSecurityPlanet, Vixie said his experience in takedowns includes working against Conficker and DNSchanger, among other efforts.
"There is a lot of interest in taking down online criminal infrastructure," Vixie said. "The problem is we're getting it wrong often enough to create collateral damage that pulls the whole endeavor into question."
Before taking down a botnet for example, Vixie said it's important to understand all the things it is attached to and dependent upon to operate. While it's important to make sure that the entire criminal enterprise infrastructure is taken down, it's also important to not adversely impact non-combatants that work on what may turn out to be shared infrastructure components.
One way to limit such risks involves leveraging passive DNS.
"Passive DNS is a way of recording third-party transactions, creating a surveillance opportunity, without any personally identifiable information in what we recover," Vixie said.
He explained that if you can see enough DNS information and store it in a database that goes back years, then it's possible to find relationships between online properties - like all of the other domain names that have ever pointed at a particular IP address.
"You can also looking for sharing of mail servers and other items," he said.
Vixie's company, Farsight Security, is one of several vendors that facilitate passive DNS collections. "So anyone that uses our tool can find the surrounding infrastructure of things they care about," Vixie explained.
Nothing on the Internet can occur, whether it's good or bad, until a DNS transaction is completed, Vixie emphasized.
"So all online activity has to use DNS and once you are using DNS, then you're under my microscope," he said.
While generally speaking a takedown can involve the removal of assets from the Internet, there are also times when some form of redirection is needed. While HTTP redirection is common, elegant DNS redirection is another story. That's why Vixie emphasizes the importance of keeping takedowns as specific as possible.
"Takedowns need to be specific so you're only putting yourself in the way of traffic that you really don't want to have answered," he said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
July 16, 2015
Paul Vixie, CEO of Farsight Security, discusses how his firm uses DNS and other network traffic information to help organizations with security forensics.