原文與出處
DNS
Sinkholing
The DNS sinkhole action that you can enable in Anti-Spyware
profiles enables the firewall to forge a
response to a DNS query for a known malicious domain, causing the malicious
domain name to resolve to an IP address that you define. This feature can be
used to identify infected hosts on the protected network using DNS traffic in
situations where the firewall cannot see the infected client's DNS query (that
is, the firewall cannot see the originator of the DNS query). In a typical
deployment where the firewall is north of the local DNS server, the threat log
will identify the local DNS resolver as the source of the traffic rather than
the actual infected host. Sinkholing malware DNS queries solves this visibility
problem by forging responses to the client host queries directed at malicious
domains, so that clients attempting to connect to malicious domains (for
command-and- control, for example) will instead attempt to connect to a
sinkhole IP address that you define. Infected hosts can then be easily
identified in the traffic logs because any hosts that attempt to connect to the
sinkhole IP address are most likely infected with malware.
DNS
Sinkhole Workflow
The
following illustration shows an example of how to identify client hosts that
are attempting to communicate with known malicious domains:
說明
DNS Sinkholing 的機制,就是 當 防火牆,偵測到 DNS 查詢的是一個已知的惡意網域,防火牆就會回應一個偽造的IP (管理者定義),使得這個連線失敗,讓電腦無法成功連線到惡意網站。
藉此方式,也可以知道內部 受保護的網路中 有哪些主機受感染。
DNS Sinkhole 的作業流程
- 內部電腦192.168.2.10 可能受到惡意程式感染,並且發送DNS查詢,要連線到C&C主機。
- 內部 DNS Server 經由 Public DNS 查詢。
- DNS 回應 IP,用戶端連線該 IP,防火牆偵測到連線的IP 是惡意網站,
於是防火牆回應一個偽造的IP (Sinkhole IP) 給用戶端。 - 受惡意程式感染的電腦嘗試連線到 C&C主機,但是卻是連到 sinkhole IP。
- 這個 Session 經由用戶端電腦到 sinkhole IP。
- 管理者可以從記錄中知道 有哪些電腦嘗試連線惡意網站。
-End-
沒有留言:
張貼留言