The Overlay Network

And analysis of a malicious botnet based in the DNS that targets government infrastructure.

The Overlay Network

Computing has multiple levels of virtualization that we are often not aware of. The OSI model itself is essentially 6 layers stacked within one another onto the last bottom 7th layer. Beyond this the information on the website itself, can be thought of as yet another meta layer.

Biological metaphors in computing are becoming more common and quickly replacing comparisons with the mind and brain. The OSI model of the body might be akin to a human, with an organ, with cells, inside of which are particles like the ribosome and DNA. And then in turn DNA is made up of adenosine, tyrosine, etc.

All of these quick asides are just to suggest that even for those of us familiar with the internet, there are many pieces we don't see hidden within certain layers we thought we knew.

DNS BotNet Characteristics

A large distributed DNS botnet would be a good example of such an embedded virtualization layer that could exist in a largely unseen manner.

It would have the following characteristics:

  • Lots of reverse DNS records on the domains that have been "tampered". These reverse DNS records need to from some kind of schema or pattern and cannot be fully random
  • Some reverse DNS records need to have multiple PTR records associated with them
  • A decent number of "Associated Domains", because you might as well only compromise domains that give you control of a broader apex portfolio
  • A large, unnecessary amount of subdomains taken out for random traffic interception, DNS tunneling, and perhaps further usage later
  • Many ports open on 25 for SMTP, perhaps 22/23 for SSH and Telnet, and others such as 1723 for PPTP and 5222 for XMPP. Botnets will often use these protocols for inter-node communication.
  • Immediate redirects via either HTTP 3xx status codes or CNAME records. This allows, like sending info secretly through IRC channels, the attacker to move some amount of information outside of the network space the victim might be able to assert control.

A very good example of this pattern is the Department of Energy. They, like a lot of other cabinet level departments, actually have two versions of their names as urls. Either "" or "".  In most cases, the "DO*" will not be their main user facing website.

A similar case by the way is the Justice Department, which actually has three permutations: "", "", "". Here again it is the single word, not the "DO*" domain, that users are usually supposed to visit:

Energy Department DNS Records at

Below are the open ports (found in the IP blocks assigned to DOE) and along with the Reverse DNS record structure for

Repeating what was said above we can see:

  • Port 25 (and also 587) for email is open
  • Port 22 is open (although it could just be more management)
  • A massive amount of well structured reverse dns records (24,000+) exists

A Comparison to

Note the similarities between and the image you just saw above. Just at the intuitive visual level, you should notice similarities. Now look for the structure of the reverse DNS, the ports open (even though it's a much smaller IP block!).

One Last Thing

Botnets need ways to come up with all of the subdomains and records they generate. A decade or two ago they might have generated random alphanumeric strings 20 characters long. That became easier and easier to spot, so now dictionaries of common words are often used and then chained together.

If one were to establish a robust and informative structure, which is more helpful than fully random names, one could again still use a dictionary. The meanings should be hidden but the strings don't need to be fully randomized and can convey information, as seen in the CIA's cryptonym playbook.

Something like the United Nation's LOCODE pattern would be helpful. We will return to that system and in the next post.