Network Working Group J. Bambenek Internet-Draft: Double Flux Defense in DNS Univ. of Illinois Updates: 1123, 1912, 2181, 2535 (if approved) May 21, 2008 Intended status: Standard Expires: November 21, 2008 Double Flux Defense in the DNS Protocol draft-bambenek-doubleflux-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 20, 2008. Copyright Notice Copyright (C) The IETF Trust (2008). Abstract The memo provides information and suggests processes for developers of applications based on the DNS protocol and for administrators of servers and networks. It suggests new procedures for DNS and DNSSEC implementations that would prevent abuse of the DNS Bambenek Expires November 21, 2008 [Page 1] Internet-Draft Double Flux Defense in DNS May 2008 protocol such as those seen by "Double Flux" service networks. Specifically, this document recommends that all resource records for NS records with Time-To-Live (TTL) settings under 24 hours be dropped as potentially malicious records designed to attack users. This document would update RFCs 1123, 1912, 2181 and 2535. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [KWORDS]. Table of Contents 1. Introduction ............................................... 2 2. Overview of Fast Flux Service Networks ..................... 3 2.1 Single Flux ............................................ 3 2.2 Double Flux ............................................ 3 3. Recommend Changes .......................................... 4 3.1 Changes to Registrars .................................. 4 3.2 Changes to Authoritative DNS Services .................. 4 3.3 Changes to DNS Resolving Services ...................... 4 3.4 Changes to DNS Clients ................................. 4 4. Security Considerations .................................... 5 5. IANA Considerations ........................................ 5 6. Conclusion ................................................. 5 7. Acknowledgments ............................................ 5 8. Feedback ................................................... 5 9. References ................................................. 6 Author's Address .............................................. 6 Senseless Legalese ............................................ 6 1. Introduction Traditionally, malware repositories and malicious websites were easy to locate and take down. They were either registered in DNS or used their IP address. A call or e-mail to the abuse department and the relevant ISP is (usually) all that was needed. With the advent of botnets, this all changed. Botnet technology changed the paradigm for hacking. Instead of controlling only a few machines and using those machines as launching pads for attacks, malicious individuals could control hundreds, thousands, or even more machines that they could then use to initiate more attacks. Identifying all the botnet "drones" became difficult simply by the shear volume. Even after machines Bambenek Expires November 21, 2008 [Page 2] Internet-Draft Double Flux Defense in DNS May 2008 were identified, they frequently would just get reinfected. The attention then turned to botnet command and control structures. This lead to the development of fast flux networks which allow leverging the shear numbers of infected machines and DNS to quickly point and repoint victims to malicious websites and command and control mechanisms. 2. Overview of Fast Flux Service Networks Fast flux service networks work by using a combination of short Time-To-Live (TTL) values and round-robin IP address assignments in DNS records for a given domain. This leads to DNS resource records having IP address that are changing quickly which make takedowns difficult. Fast flux networks come in two varieties: single flux which only rotate A records for web services and double flux which rotate DNS records as well as A records for web services. [1] Fast flux networks rely on many machines that have been compromised that can be used as "throwaway" hosts for further exploitation or launching pads for their own attacks. 2.1. Single Flux In a single flux network, there are up to thousands of IP addresses that can coorespond to a single A record. For instace, at any given moment, a round-robin list of IP address can be returned for a query of host.malicioushost.com. However, those values will have low TTLs assigned to them (as low as 3 minutes). A future query will then return different IP addresses. This allows malicious individuals to use DNS to point victims to malware and command & control systems without having to worry about the IP address being identified and taken offline. With thousands of IPs to choose from, taking down the individual hosts becomes quickly impractical. The one weak point in this network is the nameservers that are authoritative for the domain are static and they can be taken down which would, in turn, disable the fast flux network. 2.2. Double Flux The weak point in single flux networks is addressed in double flux networks. In this case, double flux also use low TTLs to quickly cycle the authoritative nameservers as well so take downs of the nameserver also become difficult. They can accomplish this by using low TTLs for the NS records themselves, or using a fully-qualified domain name in the NS Bambenek Expires November 21, 2008 [Page 3] Internet-Draft Double Flux Defense in DNS May 2008 record with has a cooresponding A record with a low TTL. This allows malicious users to cycle in owned machines as both webservers and nameservers. 3. Recommended Changes In order to mitigate the threat of double flux service networks a variety of changes to the standard are proposed. The changes will affect a variety of levels so that if some of the changes are not implemented at certain levels, some protection will be afforded to consumers through the other levels. 3.1. Changes to Registrars Domain registrars SHALL limit the rate at which changes can be made to authoritative DNS servers for domains within their control to one set of changes per 72 hours. They SHOULD also allow for a "backout" to the previous settings in the event of errors. This backout will move the settings back to the previous nameserver settings and reset the clock for 72 hours. This will prevent malicious individuals from constantly changing their DNS records to avoid takedowns. 3.2. Changes to Authoritative DNS Services During startup, DNS services SHALL check both the TTL for NS records and check the TTL for the A records associated with the NS record. If the TTL is set to a value below 86400 (24 hours) it SHALL override the setting to 259200 (72 hours) and record an entry in the system logs to that affect. A value MAY be specified within 24-72 hours that will work, but values under 24 hours will default to 72 hours. 3.3. Changes to DNS Resolving Services DNS servers that are non-authoritative but performing queries on behalf of local clients SHALL examine the TTL of the NS record and if applicable, the A record for the cooresponding nameserver. If either non-cached TTL comes back with a value of less than 12 hours, it SHALL be discarded and return an error giving no information to the requesting client. 3.4. Changes to DNS Clients DNS clients SHALL examine returned values for all nameserver Bambenek Expires November 21, 2008 [Page 4] Internet-Draft Double Flux Defense in DNS May 2008 lookups for NS records (and cooresponding A records for those NS records) for TTLs less than 12 hours. If a non-cached result of a query comes back with a low TTL, it SHALL be discarded with no IP address returned to the requesting application. 4. Security Considerations This document proposes changes to the DNS protocol to improve security in the existing system. It will not prevent misuse, but it will help slow down the propogation of malicious DNS changes to allow for the information security community to take appropriate corrective action. This should theoretically enhance the security of DNS services. 5. IANA Consdierations This document has no actions for IANA. 6. Conclusion The changes to the standards proposed in this document allow for the information security field to slow down the movement of double flux networs so that takedowns become more possible. It will not fix the problem, nor does it intend to. The objective is to raise the bar and prevent the malicious use of features within the DNS protocol that are no longer relevant to modern usage. Additionally, this author encourages the development of a real-time DNS Blacklist of known fast-flux domain names to provide an additional layer of protection that service providers can use to protect their consumers. 7. Acknowledgments This document acknowledges Captain John Smith who introduced coffee to the New World in 1607. Without this, the practice of information technology would not be possible. 8. Feedback Feedback on this document is requested and interested parties can contact that author at the address and e-mail listed below under "Author's Address". Bambenek Expires November 21, 2008 [Page 5] Internet-Draft Double Flux Defense in DNS May 2008 9. References [1] Honeynet Project & Research Alliance, "Know Your Enemy: Fast-Flux Service Networks" http://www.honeynet.org/papers/ ff/fast-flux.html (13 July 2007) Author's Address John Bambenek University of Illinois 1308 W. Main St Urbana, IL 61801 United States of America EMail: bambenek@uiuc.edu Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Bambenek Expires November 21, 2008 [Page 6] Internet-Draft Double Flux Defense in DNS May 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.