Add Warden reporting capabilities to PassiveDNS
In addition to interactive work by a researcher and automated data
acquisition by dependent machine systems (like NERD), the PassiveDNS
system could be used to directly report security incidents to the Warden
sharing infrastructure. The requisite for that is that suitable analytic
mechanism are developed, but also the underlying interfacing work.
There are two natural exit points from PassiveDNS to Warden:
- The
pdns_importer
for stream processing tasks. Contrary to popular opinion there is enough headroom in importer to do further analytic processing and potentially reporting. Of course architectural limitations apply, the analytics should not require interaction between workers as that is not currently possible and would kill the performance, and the processing should require very little RAM (as there are many workers and because of the memory reclaim issues that current cpython implementations have). The valid candidates here are the attacks using invalid or malformed requests. - The
pdns_bgcalc
for deeper analytics on the stored data as a whole. Valid candidates are the outcome of phishing detector, the planned bitcoin miner detection tool and similar high level analytics.
Author: Radko Krkoš krkos@cesnet.cz