[ASK] Block Malware Generate Random Subdomain, Domain and TLD
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Jan 18 07:33:05 UTC 2018
> domains: if you know the algorithm, you can pre-generate the malicious
> domains and add them to your RPZ in advance.
RPZ by default will not stop the upstream query. You would have to use
"qname-wait-recurse yes" in addition if stopping upstream queries is
your goal.
I believe this malware DGA is discussed on this site [1]. According to
one user, the DGA is unpredictable and used to decoy only:
"There is a large list of hardcoded domains with ports that the malware
contact. But in addition to that, there is a DGA that generates domains
that look exactly like the hardcoded domains. The seeding of the DGA is
done with GetTickCount and therefore unpredictable."
It seems to me that some of the hardcoded domains resolve to
195.22.26[.]248 e.g. m23.pxrrhqd[.]net, m16.nkksufo[.]net. Thus, I have
the following RPZ rule in place at the moment:
32.248.26.22.195.rpz-ip CNAME .
This will of course only match some of the hardcoded domains and none of
the DGA domains. I'm not sure what you could use to prevent any of these
queries to go upstream.
Maybe "synth-from-dnssec" in Bind 9.12 is something if the domain name
happens to hit a TLD which uses NSEC. According to the Bind 9.12
documentation [2] Bind will support NSEC3 for "synth-from-dnssec" at
some point in the future. However, as most TLDs use NSEC3 opt-out I
guess this is not the right solution either.
Or RRL (rate-limit) with only "nxdomains-per-second". However, I have
never used RRL on recursive resolvers. I guess this is not a good idea
either.
Daniel
[1] https://github.com/360netlab/DGA/issues/36
[2]
https://ftp.isc.org/isc/bind9/9.12.0rc3/doc/arm/Bv9ARM.ch09.html#relnotes_features
More information about the bind-users
mailing list