Info

Brakeing Down Security Podcast

A podcast all about the world of Security, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security Professionals need to know, or refresh the memories of the seasoned veterans.
RSS Feed Subscribe in iTunes
Brakeing Down Security Podcast
2017
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February
January


2015
December
November
October
September
August
July
June
May
April
March
February
January


2014
December
November
October
September
August
July
June
May
April
March
February
January


All Episodes
Archives
Now displaying: Page 1
Jun 13, 2016

Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet.  You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning.  What do you do?

In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to  or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met.

Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly.  We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ.

In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html

Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3

iTunes:  https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2

YouTube: https://youtu.be/67huikA2QFg

 

Links we used to discuss sinkholing:

Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/

*UPDATED literally hours after I posted this show*  Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153

 

 

http://resources.infosecinstitute.com/dns-sinkhole

 

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing

 

https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

 

http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769

 

Blackhole DNS servers -- http://www.malware-domains.com/   or http://www.malwaredomains.com/

http://handlers.dshield.org/gbruneau/sinkhole.htm

Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/

 

http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455

 

http://someonewhocares.org/hosts//  -massive dns sinkholing list

 

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

images:

Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole

1 Comments
  • over a year ago
    Geetha
    This blog provides useful information about new techniques and concepts.very impressive lines are given which is very attractive.