#gdi #infosec The power of DNS combined with #bigdata converge in the digital sky to prevent darkness from covering the land of bits and bytes

dnseclipse

Littered throughout ancient literature and religions is the notion that a total solar eclipse forfends some great event. In more modern times such a sign has been adopted by science fiction and fantasy authors, often to herald the birth of the Hero of the Day. 

Even after solar eclipses could be predicted with a fair amount of precision, such an event was often used to attempt to change human behavior. In the Bible, one of the plagues of Egypt involved darkness covering the land in an attempt to change the Pharaoh's position on the enslavement of the Israelites. This event is often (inaccurately) interpreted as a solar eclipse. In other cases, it was not so much an active attempt as the result of such an (at the time) frightening event.

quotesHerodotus, the father of history, who lived in the 5th century BC, cited that Thales (ca. 624-547 BCE), the Greek philosopher, predicted the solar eclipse of 28 May 585 BCE that put an end to the conflict between the Lydians and the Medes. -- Solar Eclipses in History and Mythology

Ancient peoples looked upon solar eclipses, whatever the reigning philosophy or religious thought of the time, as a sign that something human beings were doing was wrong.

On July 9, the digital equivalent will occur for some, and it is indeed a sign that something is terribly wrong.

The Malware, The Event, The Solution

If you’re not aware of Operation Ghost Click, take a quick read as it’s the backstory as to why this upcoming event will occur. Suffice to say that a whole lot of end-users were infected with the DNS hijacking malware called DNSChanger and the FBI, in its attempts to ferret out the root cause, set up one of the largest honeypots on the Internet – intercepting every DNS request sent by the infected users. It managed this feat by posing as the DNS resolvers used by the malware.

This had the effect of allowing hundreds of thousands of infected users to keep right on using the Internet as if nothing was wrong. Their DNS requests were resolved properly, and most of them were – and are still – none the wiser.

But the FBI is going to turn off that system on July 9, which will leave the hundreds of thousands still infected with no valid DNS services. Effectively, for those users, the Internet will become as black as sackcloth; the Internet will go dark.

The solution for these users is, of course, to clean their systems of the malware. First, however, they have to recognize they’re infected – something that will become obvious on July 9. Folks would really like to avoid the mass disruption that will invariably result from such a broad outage – especially local ISPs and technical family members who will no doubt have to field calls that day to explain why the Internet “isn’t working.” To do that, the power of big data is being employed, with more and more sites joining in to leverage that data in an attempt to inform those infected before the DNS eclipse occurs.

The most recent prophet to join the DNS eclipse movement is Facebook, which “announced Tuesday that it had joined a consortium of other companies and security experts to help alert more than half a million users of a computer infection called DNSChanger that may knock their computers off the Internet this summer.” (Facebook warns hundreds of thousands may lose Internet in July) This notification is accomplished by means of leveraging big data collected that identifies infected IPs by origin ASN.

quotesAll ISPs are asked to notify their affected customers and encourage remediation.  If you run a network and would like information about DNS Changer infected IP’s on your network, please contact one of the organizations listed below.  These organizations are making this data available for free as a public benefit.  These organizations will verify that you are a responsible contact for the ASN.

DNS Changer infected IP’s are tracked by origin ASN

-- DNS Changer Working Group (DCWG)

Facebook, and other cooperating sites, use the data collected with respect to infected IPs, to notify end-users to check their individual machine (recognizing, of course, that IPs in the end-user space are often shared and highly mobile and thus merely turning up as an infected IP is not a digital indictment) for the malware, with instructions that explain how to resolve the situation.

The Power of BIG Data

This exercise, in addition to providing a valuable (and given the large number of still infected machines out there, necessary) service, illustrates nicely the value of big data to organizations. While certainly most enterprises won’t be taking advantage of this service, there are many others that provide similar (and in many cases better) granularity in information regarding end-users that can be highly valuable to the security of the data center.

Knowing, for example, that the client connecting to your public facing application is coming from an anonymizing proxy, or is known as being an IP used to launch web application attacks (SQLi and the like), is as good as gold for many organizations. And like many of those who’ve joined the effort to inform end-users of their infected state, if the supporting infrastructure is flexible enough – if it’s programmable, as it were – then organizations need not chew their own arms off with worry about blocking an IP that’s been marked but is also shared. Infrastructure imbued with the information available from big data services can execute processes that better enable end-users to redress the situation, as is being done with DNS changer, rather than outright block or deny access.

Big data services are coming of age and combined with the flexibility of intelligent infrastructure, the possibilities for leveraging that information are endless.