Farsight Security, Inc. (FSI)
On July 1, 2013, Farsight Security, Inc. (FSI) acquired the security related business assets of Internet Systems Consortium including all DNSDB and SIE and related technologies and customer contracts. At that time the ISC Security team consisting of Paul Vixie, Eric Ziegast, Robert Edmonds, and Leo Bicknell joined Farsight Security full time where they continue to innovate and execute in the field of network observability. Existing subscribers to DNSDB and SIE should continue to use their existing support channels until further notice.
Security Information Exchange
FSI SIE is a trusted, private framework for information sharing in the Internet Security field. Participants can operate real time sensors that upload and/or inject live data to SIE, and other participants can subscribe to this data either in real time or by query access.
Participants are network operators (including ISPs, enterprise, academic, and research), law enforcement (internationally), security companies (including anti-virus, intrusion detection, etc), and research (including academic, Internet do-gooder, government, and commercial). All access and use, either commercial or noncommercial, must be in the public interest.
By leveraging lessons learned from the 1990's building the commercial Internet eXchange Point (IXP) concept in the 1990's, SIE is leading the way to show the security industry how to build security data exchange infrastructure, apply concepts like peering and Metcalfe's law, and learn about scalability and trust within its participant comunity. Farsight Security is a co-equal participant of SIE with other security companies and research partners. By making internal data processing and results available in real time equitably and fairly, Farsight Security demonstrates that open data sharing to vetted participants is a sustainable model for both business and research with benefits that exceed what can be provided through a merely a commercial end user product.
FSI Passive DNS Replication Project
One of the first and best examples on SIE for real time data collection and sharing comes from the work pioneered by Florian Weimer in 2004 regarding the aggregated collection of DNS response information to recursive caching DNS servers. Since 2007, the FSI team (then at ISC) has developed and maintained relationships with several large Internet providers, software service providers, universities, and several Internet security companies to monitor what DNS information is being accessed and used by their aggregate user population in near real time. The value of the data comes from building searchable forward and reverse indexes of the DNS data (eg: Farsight DNSDB) or monitoring associations in real time between known global identifiers (addresses and names and nameservers) utilized by miscreants for their purposes and new related identifiers.
FSI publishes open-source software for collecting Passive DNS replication information. The FSI collection infrastructure utilizing SIE and NMSG technology is both robust and scalable. We have developed an enhanced Passive DNS real time data processing tools and infrastructure which has evolved with the needs of researchers and security analysis teams. The processing includes deduplicating repeated data, verifying its correctness, identifying its bailiwick, and filtering out unwanted information. FSI Passive DNS data is fed into Farsight DNSDB and participants on Farsight SIE who are interested in real time DNS data for enhancing their products.
Organizations that contribute DNS data into to the project allows the widest range of trusted Internet security analysts and researchers to develop and enhance products (both free and commercial) to be more relevant to both the organization's user population. Natural data aggregation, Farsight SIE policies, and contributor anonymization techniques help preserve participant privacy.
The NMSG format is an efficient encoding of typed, structured data into payloads which are packed into containers which can be transmitted over the network or stored to disk. libnmsg is the reference implementation of this format and provides an extensible interface for creating and parsing messages in NMSG format. The NMSG format relies on Google Protocol Buffers to encode the payload header. Individual NMSG payloads are distinguished by assigned vendor ID and message type values and libnmsg provides a modular interface for registering handlers for specific message types. libnmsg makes it easy to build new message types using a Protocol Buffers compiler.
Within SIE, nmsgtool and libnmsg are used for collecting data on sensors, transporting data to SIE relay servers, broadcasting data within SIE switch framework, and processing and archiving data. It's efficient (data is binary, no text parsing like JSON or XML), flexible (wide variety of transport of data), extensible (new data formats can easily be defned), and open source. The libnmsg API has bindings for Python and Perl making it easier for scripting analysis of data. NMSG has grown beyond SIE to be used by researchers for data combining and analysis.
Mailing list: https://lists.isc.org/mailman/listinfo/nmsg-dev
The DNS Database (DNSDB) is a searchable history of DNS records that stores and indexes both the Passive DNS data, available via Farsight's Security Information Exchange, as well as the authoritative DNS data that various zone operators make available. DNSDB makes it easy to search for individual DNS records as seen at different levels of the DNS tree hierarchy along with timestamps for when they were first or last seen. More importantly, DNSDB provides the ability to perform inverse look-ups based on the answers of DNS queries.
This database is frequently used as a resource for finding sources used for malicious activities. Some of its many uses include:
- Finding new domains related to existing spam or botnet campaigns.
- Enumerating IP addresses that are being used for fastflux botnets.
- Finding other DNS information utilized by known IP addresses.
- Identifying other names or addresses seen within a known domain or IP CIDR range.
- Using historical information to determine when information changed and how.
Sharing DNS information broadens results from other data analysis, maps out related criminal activity, and identifies the DNS names or addresses used by cyber criminals. Access to DNSDB is only allowed for authorized and approved users who apply for access. Users include a wide array of security analysts for both closed commercial and open public benefit purposes, members of CERT/CSIRT teams, international law enforcement, university researchers, and ISP operational security and abuse teams. Automated cross-referencing and analysis of data to Farsight DNSDB improves security products used by many.
Farsight Security team members are involved in several industry and government Internet security projects. Some are under contract (DHS, NSF, FBI), partnering with or supporting our customers, supporting community security collaboration efforts, participating in security mailing lists and trust groups, or hosting or facilitating sharing projects for Internet do-gooders, or contributing to security conferences when invited.