Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Easy DNS BIND Sinkhole Setup

Published: 2010-01-10
Last Updated: 2010-01-11 13:08:33 UTC
by Guy Bruneau (Version: 1)
6 comment(s)

ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.

A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.

The first step is to add a configuration file to the /etc/named.conf. For example, add:

include "/var/named/sink_local.conf";

Run the command "named-checkconf" to make sure you have no errors in your named.conf file.

The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918 our.org.molendf.co.kr. Add in sink_local.conf the following line:

zone "our.org.molendf.co.kr" IN { type master; file "/var/named/sinkhole/redirect.nowhere"; };

Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:

$TTL    600
@                       1D IN SOA       localhost root (
                                        42              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        5 IN A          192.168.25.5

The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add  this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.

Last, reload your zone for your new list to take effect by executing "rndc reconfig"

Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:

C:Users:guy>nslookup our.org.molendf.co.kr
Server: somename.sinkhole.com
Address: 192.168.25.25

Name: our.org.molendf.co.kr
Address: 192.168.25.5

This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.

If you know of other lists that could populate a sinkhole, I will add them later to this diary.

Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: DNS Sinkhole
6 comment(s)

6.5 magnitude earthquake in California causing local poweroutage

Published: 2010-01-10
Last Updated: 2010-01-10 04:05:27 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

A 6.5 magnitude earthquake off the coast of California [1] is causing some local power outages at the very northern end of California [2]. This cooridor along the west coast is heavily used by various networks connecting the west coast as well as by landing points for cables from Australia and Asia.

Keynote is reporting some delays in San Diego between NTT and Verizon as well as Sprint [3]. Of course, San Diego is at the other end of the state, but it is possible that a disruption up north is effecting some connectivity leading down to San Diego.

NTT appears to use the "Trans Pacific Express" cable which lands in Oregon, about 500 Miles north of the quake [4] (probably too far to be affected)

Damage from the quake appears to be very limited. One interesting note: The quake ruptured gas lines as well as power lines. If you need natural gas for your generator, you may be out of luck.

[1] http://earthquake.usgs.gov/earthquakes/eqinthenews/2010/nc71338066/
[2] http://www.google.com/hostednews/afp/article/ALeqM5hSbG8pfMD-xv2Azo_WnqSVT_fO_Q
[3] http://www.internetpulse.net/
[4] http://www.ntt.com/aboutus_e/news/data/20091225a.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: earthquake
0 comment(s)
Diary Archives