DNS SinkHole - CERT.br
DNS SinkHole - CERT.br
DNS SinkHole - CERT.br
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2º Fórum<<strong>br</strong> />
Brasileiro<<strong>br</strong> />
de CSIRTs<<strong>br</strong> />
17 de setem<strong>br</strong>o de 2013<<strong>br</strong> />
Detecção e Tratamento<<strong>br</strong> />
de Softwares Maliciosos<<strong>br</strong> />
na Rede do Governo do<<strong>br</strong> />
Estado do Paraná<<strong>br</strong> />
Jose Roberto Andrade Jr<<strong>br</strong> />
Hermano Pereira<<strong>br</strong> />
Oeslei Taborda Ribas
Agenda<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Atribuições da CELEPAR<<strong>br</strong> />
Desafios de um CSIRT Gov.<<strong>br</strong> />
Ataques externos de botnet<<strong>br</strong> />
IDS (Sistema de detecção de intrusão)<<strong>br</strong> />
HoneyPot<<strong>br</strong> />
<strong>DNS</strong> Sinkhole<<strong>br</strong> />
Outras Técnicas<<strong>br</strong> />
Alertas por e-mail
Atribuições da CELEPAR<<strong>br</strong> />
●<<strong>br</strong> />
CELEPAR<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Companhia de Informática do Paraná<<strong>br</strong> />
Economia Mista (Governo do Paraná)<<strong>br</strong> />
Responsável pelo domínio .pr.gov.<strong>br</strong><<strong>br</strong> />
Responsável pela conectividade das<<strong>br</strong> />
universidades estaduais.<<strong>br</strong> />
Clientes:<<strong>br</strong> />
DETRAN, SEFA, SESA, SEED, SESP...<<strong>br</strong> />
www.celepar.pr.gov.<strong>br</strong>
Atribuições da CELEPAR<<strong>br</strong> />
Mais de 50 Órgãos/Secretarias<<strong>br</strong> />
~45% Windows<<strong>br</strong> />
Antivírus<<strong>br</strong> />
Corporativo<<strong>br</strong> />
Mais de 40.000 estações
Desafios de um CSIRT Gov<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Clientes com políticas de segurança da<<strong>br</strong> />
informação diferentes<<strong>br</strong> />
Clientes com autonomia em relação as decisões<<strong>br</strong> />
relacionadas a segurança da informação<<strong>br</strong> />
Turnover dos profissionais de TI<<strong>br</strong> />
Instalação/manutenção de aplicativos de<<strong>br</strong> />
terceiro<<strong>br</strong> />
Dificuldades na aquisição de equipamentos e<<strong>br</strong> />
licenças de software
Detecção e Tratamento<<strong>br</strong> />
de Softwares Maliciosos
Ataques externos de botnet<<strong>br</strong> />
●<<strong>br</strong> />
Ataques de DDoS<<strong>br</strong> />
●<<strong>br</strong> />
Abuso de formulários<<strong>br</strong> />
●<<strong>br</strong> />
Ataques a aplicações com CAPTCHA<<strong>br</strong> />
●<<strong>br</strong> />
Roubo de dados
Tamanduah: Consumo de Banda<<strong>br</strong> />
TamanduahURL: Requisições a URLs<<strong>br</strong> />
Pcap / TCPDump<<strong>br</strong> />
TCP / IP<<strong>br</strong> />
Espelhamento<<strong>br</strong> />
●<<strong>br</strong> />
Firewall, Proxy<<strong>br</strong> />
perl tamanduah.pl -i eth0 -s 10.0.0.0/8 -d "^10.0.0.0/8,:53" -p udp -q 10<<strong>br</strong> />
--Tamanduah--2.2----------------------------------------------------------------------------------------<<strong>br</strong> />
Hosts Bytes IN Bytes OUT Bytes Total<<strong>br</strong> />
--------------------------------------------------------------------------------------------------------<<strong>br</strong> />
1 10.X.X.X 245934 44.54% 82497 41.26% 328431 43.67%<<strong>br</strong> />
2 10.X.X.X 162296 29.39% 67269 33.64% 229565 30.52%<<strong>br</strong> />
3 10.X.X.X 130920 23.71% 39905 19.96% 170825 22.71%<<strong>br</strong> />
4 10.X.X.X 3663 0.66% 818 0.41% 4481 0.60%<<strong>br</strong> />
5 10.X.X.X 3860 0.70% 518 0.26% 4378 0.58%<<strong>br</strong> />
6 10.X.X.X 602 0.11% 887 0.44% 1489 0.20%
Intrusion Detection System (IDS)<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
IDS Snort com assinaturas da Emerging Threats<<strong>br</strong> />
Regras por rede<<strong>br</strong> />
Assinaturas personalizadas para o nosso<<strong>br</strong> />
ambiente<<strong>br</strong> />
Assinaturas feitas so<strong>br</strong>e demanda para novas<<strong>br</strong> />
ameaças.<<strong>br</strong> />
Visão dos alertas por cliente<<strong>br</strong> />
Visão dos alertas por malware
Intrusion Detection System (IDS)
Implementações COSED<<strong>br</strong> />
Painel de Alertas de Segurança
HoneyPot<<strong>br</strong> />
192.168.10.0/24
HoneyPot<<strong>br</strong> />
Rotas para o HoneyPot:<<strong>br</strong> />
RFC 1918<<strong>br</strong> />
- 10.0.0.0/8<<strong>br</strong> />
- 172.16.0.0/12<<strong>br</strong> />
- 192.168.0.0/16<<strong>br</strong> />
RFC 3927<<strong>br</strong> />
- 169.254.0.0/16<<strong>br</strong> />
RFC 1112<<strong>br</strong> />
- 0.0.0.0/8<<strong>br</strong> />
- 127.0.0.0/8<<strong>br</strong> />
192.168.10.0/24
HoneyPot<<strong>br</strong> />
Alerta do HoneyPot<<strong>br</strong> />
Vírus em:<<strong>br</strong> />
192.168.10.X
HoneyPot Corporativo<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Hoje:<<strong>br</strong> />
1 Servidor HoneyPot<<strong>br</strong> />
Roteamento Switch Core<<strong>br</strong> />
Nepenthes, Snort e<<strong>br</strong> />
IPTables<<strong>br</strong> />
Próximo passo:<<strong>br</strong> />
Honeyd/Dionaea<<strong>br</strong> />
HoneyPot nos Clientes
HoneyPot nas DMZs<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Hoje:<<strong>br</strong> />
Servidor HoneyPot em 3 DMZs<<strong>br</strong> />
Sem roteamento<<strong>br</strong> />
Próximo passo:<<strong>br</strong> />
Em todas as redes hospedadas
HoneyPot Corporativo<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Alguns dados:<<strong>br</strong> />
~ 35% dos alertas de segurança<<strong>br</strong> />
Diversos ataques (Portscan)<<strong>br</strong> />
Erros de configuração<<strong>br</strong> />
Novos vírus/malwares<<strong>br</strong> />
Erros em WebSites
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
●<<strong>br</strong> />
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
O <strong>DNS</strong> <strong>SinkHole</strong> é um recurso<<strong>br</strong> />
adicionado ao servidor de <strong>DNS</strong> para<<strong>br</strong> />
resolver domínios que são utilizados<<strong>br</strong> />
para fins maliciosos (vírus). Assim o<<strong>br</strong> />
domínio malicioso poderá ser resolvido<<strong>br</strong> />
para um endereço IP de um HoneyPot.
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
www.domal.dn<<strong>br</strong> />
Consulta: www.domal.dn ?
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
www.domal.dn<<strong>br</strong> />
www.domal.dn<<strong>br</strong> />
192.168.1.35<<strong>br</strong> />
Palevo
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
www.domal.dn
<strong>DNS</strong> <strong>SinkHole</strong><<strong>br</strong> />
www.domal.dn<<strong>br</strong> />
Alerta do HoneyPot<<strong>br</strong> />
Vírus Palevo em<<strong>br</strong> />
192.168.10.Y
<strong>DNS</strong> Sinkhole<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Hoje:<<strong>br</strong> />
1 Servidor <strong>DNS</strong> em Teste<<strong>br</strong> />
(~2000 hosts)<<strong>br</strong> />
<strong>SinkHole</strong> → ISC Bind<<strong>br</strong> />
AMADA e Malware Domain List<<strong>br</strong> />
Próximo passo:<<strong>br</strong> />
<strong>DNS</strong> Corporativo<<strong>br</strong> />
<strong>DNS</strong> Clientes
Servidor de Logs<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Recebe logs via syslog.<<strong>br</strong> />
Log do servidor de antivírus.<<strong>br</strong> />
Log dos roteadores.<<strong>br</strong> />
Log do antispam.<<strong>br</strong> />
Log de alguns servidores.
SIEM<<strong>br</strong> />
●<<strong>br</strong> />
Prelude (http://www.prelude-ids.com/)<<strong>br</strong> />
● Protocolo IDMEF (RFC 4765)<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Vários módulos (LML, Prewikka,<<strong>br</strong> />
Manager)<<strong>br</strong> />
Agentes para diferentes S.O. e<<strong>br</strong> />
aplicações.<<strong>br</strong> />
Comunicação criptografada entre<<strong>br</strong> />
os agentes e o manager<<strong>br</strong> />
Buffer local para armazenamento
Outras Técnicas<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
Análise de logs do Proxy.<<strong>br</strong> />
Análise de logs do <strong>DNS</strong>.<<strong>br</strong> />
Análise de logs do Firewall.<<strong>br</strong> />
Horário/frequência das requisições.
Alertas por e-mail
Alertas por e-mail<<strong>br</strong> />
From: Equipe de Segurança<<strong>br</strong> />
To: Fulano<<strong>br</strong> />
Subject: [Mensagem Automática]<<strong>br</strong> />
Caro(a) Fulano,<<strong>br</strong> />
Identificamos que sua estação está com vírus!<<strong>br</strong> />
Alertas: XYZ<<strong>br</strong> />
Procedimentos: ABC<<strong>br</strong> />
Gratos pela sua colaboração!
Conclusão<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
●<<strong>br</strong> />
As soluções apresentadas permitem<<strong>br</strong> />
Monitorar estações que estão sem o<<strong>br</strong> />
antivírus corporativo<<strong>br</strong> />
Detecção de novos vírus e ameaças<<strong>br</strong> />
Baixo custo, efetivo<<strong>br</strong> />
Escalável e fácil de manter
Referências<<strong>br</strong> />
● amada.abuse.ch<<strong>br</strong> />
● [dionaea|nepenthes].carnivore.it<<strong>br</strong> />
● www.honeyd.org<<strong>br</strong> />
● www.honeypots-alliance.org.<strong>br</strong><<strong>br</strong> />
● isc.sans.edu/diary.html?storyid=7930<<strong>br</strong> />
● www.malwaredomainlist.com<<strong>br</strong> />
● www.rfc-editor.org<<strong>br</strong> />
● www.hermano.com.<strong>br</strong>
OBRIGADO!<<strong>br</strong> />
Perguntas?<<strong>br</strong> />
seginfo@celepar.pr.gov.<strong>br</strong>