Innovation @ HP Labs
Insights on research, innovation, and emerging technology from HP Labs researchers around the world.

HP Labs works with HP TippingPoint to reveal previously undetected network attacks

Contributed by Simon Firth, freelance technology journalist

 

hp_tippingpoint.pngHP TippingPoint debuted last week a major enhancement to its HP TippingPoint Reputation Digital Vaccine (RepDV) service – developed in collaboration with HP Labs – that promises to help organizations identify and catalog previously unnoticed malicious domain names, and thereby better anticipate and mitigate hostile attacks on network infrastructure and data centers.

 

HP TippingPoint RepDV offers a global ‘blacklist’ of known bad domain names and IP addresses, which customers can use to identify compromised computers and block traffic coming from or going to these sites.

 

Historically, HP TippingPoint has built its list by: 

  • establishing online ‘honeypots’ that catch malware from which RepDV can identify suspect domain names and IP addresses
  • discovering bad domain names and IP addresses as part of its own internal research process
  • importing third party blacklists that it combines with a computed reputation score 

dvlabs_logo.gifNow, thanks to a collaboration between HP TippingPoint DVLabs, HP TippingPoint’s own security research arm, and colleagues in HP’s Security and Cloud Lab, RepDV is adding a new source of bad domain names derived from a real-time analysis of DNS traffic. 

 

Bill-Horne_web.jpg“It’s a huge challenge to collect and then analyze that data flow, but the rewards are immense,” notes Bill Horne, lead HP Labs researcher on the project. “For one thing, it’s letting us share previously undetected bad domains with TippingPoint’s customer base. But it also opens up new possibilities for data analytics that can impact both security and network operations more widely.”

 

 

A Source of Trouble

 

The Domain Name System (DNS) is what links web names to the numerical IP addresses that computers actually use to communicate with each other. Unfortunately, the system is vulnerable to several kinds of attack. The servers maintaining the connection between names and IP addresses can be compromised, for example, making it possible to send users to counterfeit websites that collect their passwords and usernames. Compromised DNS servers can also be used to launch attacks on other sites. And they can house dormant software programs, known as bots that periodically communicate with servers managed by attackers that instruct the compromised server to act on the attackers’ behalf.

 

It’s against that last kind of ‘botnet’ attack that the new addition to HP TippingPoint Rep DV is directed.

 

“It's too difficult for the bad guys to maintain a command and control server at a fixed IP address – law enforcement just finds them too easily and takes them down,” explains Horne. “So to communicate with the command and control servers, these botnets use DNS systems that change domain names all the time. If we can identify those ever-renewing names, we can warn people of servers or other types of sites that are malicious – most of which nobody will have ever seen before. ”

 

Unlike regular web addresses, these malicious domain names are made up of seemingly random letters and numbers, which make them relatively easy to spot, if you have a way of capturing and then filtering DNS traffic. Unfortunately, that traffic runs at a massive volume. For example, a large customer could see up to 120,000 DNS events per second. If all of that was stored on their own network, it could add up to two petabytes of data every three months.

 

 

Big data problem

 

“DNS is one of the most voluminous sources of events in the enterprise,” adds Horne, “but it’s also not logged very well – and because the volumes are so high, doing it at greater granularity is extremely expensive.”

 

The HP Labs team’s response was to work around the logging issue by applying an algorithm that pre-filters the DNS traffic and sends only a subset for analysis. That reduced the customer’s volume of data from two petabytes to around 20 terabytes every few months.

 

“That's still a lot of data,” Horne suggests. “There's a symphony of questions about how do you engineer an end-to-end system to do this. And then there are the analytics.”

 

The challenge was one the HP research team relished, however. “Having this much data is an absolute gold mine and there are a whole load of interesting questions beyond identifying the botnets that we’re starting to think about,” says Horne. “In principle what we're doing is applicable to almost any data source – it could be HTTP proxy logs, network traffic logs, anything – and what we’re learning about DNS analysis can be useful beyond issues of security. It can tell you about the efficiency of your network, for example, so it’s of considerable operational interest, too.”

 

 

A history of collaboration

 

The collaboration with HP TippingPoint’s DVLabs began several years ago when Horne’s team was looking to use DNS records to identify botnets in large environments. The HP TippingPoint DVLabs group custom-built a server for the Labs researchers that could capture DNS packets as they travelled to and from a specific internet service provider.

 

The HP Labs helped HP TippingPoint collect and analyze the DNS logs, out of which the Labs researchers developed the ability to identify previously undetected bad domain names.

 

That advance was of immediate interest back at HP TippingPoint as an addition to its RepDV domain name blacklist. As announced at the RSA 2014 Conference in San Francisco this week, the HP network-derived list of suspicious domain names are now being sent to HP TippingPoint DVLabs in regular updates.  

 

HP Labs and HP TippingPoint DVLabs plan to continue collaborating on DNS research.

 

“The folks at HP TippingPoint DVLabs have a very different kind of culture from what you see in academic security research,” says Horne. “They’re what you could call security hackers – they’re really smart and they really know what they’re doing. From our perspective, they’re thoroughly refreshing and interesting to work with.”

 

HP_Labs_insignia_developed-with_blue.jpg

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author
Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation