PassiveTotal

One of the major components of offering a service is just that, offering it. Keeping a system online with consistent data isn't as easy as spinning up a machine with a database and walking away. Datacenters experience latency, systems need updates, hard drives fail and in some cases, entire companies get their network destroyed overnight. One of the big goals for PassiveTotal was to take our service and ensure that we always had a way to recover from failure, especially since our machines were located in the cloud.

Prior to the redesign, PassiveTotal was running on a larger instance within Digital Ocean where backups were done locally and then copied on a scheduled basis. The biggest issue we had with this setup was the potential for node failure, either due to our processes or our hosting provider. Our initial redesign split the application logic from the database hosts and had the databases clustered together with one node in San Francisco and another node in New York. Accounting for the changes in the code was easy and our new designed was able to ensure we had two copies of data in two different places, a de-coupled application server and solid recovery process.

Like good engineers, before we deployed the new design to production, extensive testing was done locally to account for any strange bugs or unexpected output. This mostly included failure between the two clustered database nodes and observing the election process that followed. While we tested, we also documented our processes and wrote a test suite to check the servers to ensure the processes were properly followed. Using our guides and test suite, we deployed our new design to production with literally no downtime. To do that, we ran the old version in parallel with it pointing to the new database nodes until the DNS records were able to update on all our clients.

For over two weeks, we experience no issues with our new setup. Everything was working great, our primary database node was under minimal load, our secondary ready and waiting for a failure and backups funneling up to the core application node. Then one morning, we woke up to find a couple messages from newly-approved users saying they couldn't access their account. Weird, when querying the database, they were no longer there. Looking at the cluster status, it was apparent that something had failed overnight as our New York primary was now offline and San Francisco was serving as the master.

The good news was that our site never went down (yay!), the bad news though was our databases were clearly out of sync. For the next couple hours we went through the logs to try and figure out what had happened. To the best of our knowledge, New York became overwhelmed and killed the database process therefore sparking the election to promote San Francisco to primary. The databases were out of sync due to latency between datacenters (NY and SF) and our asynchronous replication writes were not being verified (apparently this is not a default action).

Having identified the major problem to be latency between datacenters, we quickly spun up two new data nodes in New York, ran them through our process, verified they were configured properly and moved the daily backup snapshot from our original New York primary over to the new cluster. Within 10 minutes, we were able to point the application server over to the new cluster and business resumed like normal. Had we not had backups or documented our processes or wrote test suites to check our configurations, this node failure would have taken much longer to recover from.

Lately, a lot of the changes to PassiveTotal have been more subtle. When we first started the platform, tags were simply tags; users could tag a particular domain or IP address with whatever they wanted. The data representation of a tag was simply a list of values inside of an array associated with each user. Aside from the tag value, nothing more was needed to represent the value back to the user.

To avoid doing any page refreshing, we used javascript to bind event listeners to each tag allowing users to remove their own values or use them for searches. As time progressed, two new types of tags were added, system and temporal tags, yet our model didn't change. Instead, tag types were handled on the client side to help adjust colors, icons and whether or not the tag could be removed. This solution was always a hack and made managing the different types of tags difficult inside of different views. The result of the hack was a bunch of extra code, flakey javascript routines, misleading searches and conflicting colors for tag types.

While the issues mentioned above were annoying, they weren't causing significant breaks in the platform and were classified as a lower priority. That was the case until a few weeks ago when we decided to add organization accounts into the platform. It was clear that if users were part of the same organization, that tags from one user would be shown to another. A tag was no longer just a tag. It needed to be clear who tagged what and misinterpretation due to color was no longer acceptable.

In order to account for these new challenges and also fix the existing issues, we had to redesign how a tag was represented in the system. The solution we ended up releasing was to interpret each tag as an object that looked like the following example:

{ 'tag': 'test', 'username': 'global', 'type': 'global', 'color': 'success', 'icon': 'globe', 'removable': False, 'searchable': False }

Instead of trying to derive the context, type, color and icon on the client side using the tag value, we were able to move that information inside one container along with the value. In doing so, we greatly simplified the client side processing and ensured that no mistakes in representing the tag would be made. With the additional information, we were also able to properly style the tag depending on the different type therefore addressing the previous issues of conflicting colors, misleading searches and removable types.

For the past few weeks, we have been testing some of the history data provided by DomainTools in order to generate a new source. After seeing the value, we were able to work out an agreement with DomainTools to provide PassiveTotal accounts with 50 unique queries a month. In order to take advantage of this, you don't have to do a single thing. DomainTools has been enabled as a source for all accounts and trials have already begun. 

What's cool about having DomainTools as a feed is the extensive history provided for domains. In many cases, users will notice IP resolution data going back nearly 10 years! Before Steve and I decided to go forward on adding the source, we decided to put it in beta on ourselves to see how powerful it really was. In several cases, DomainTools provided at least one unique pivot point for targeted domains which led to more infrastructure discovery. 

For the past week or two, we have been silently testing (some of you have noticed) a new way to identify valid subdomains for a domain based on wildcard searches across all passive DNS data. Today we are proud to release the feature formally and also mention you can now get alerts for new subdomains on any domain you want!

As an example, if you decided you wanted to know all the data associated with jusched.net then you could simply search for "*.jusched.net". This will produce the following subdomain view:

You'll notice from the above screenshot that not only can you see the unique subdomains for the domain, but also all passive DNS data associated with the record. We put some extra work in on this feature and ensured that the wildcard search works even if the local source (like Virustotal) doesn't support such a query type. 

Aside from just seeing the data associated with the domain, you might also want to know when a new subdomain is discovered. Similar to watching individual domains/IP addresses, you can watch a domain for any new subdomains. Alerts will show up in the notifications section as seen below:

If you follow PassiveTotal on Twitter then you know we changed some of the "favorites" behavior within the web application. In fact, the concept of favoriting a domain/IP has now been relabeled as "watching" given some newly added functionality. As researchers, we like to know when something changes or when new data becomes available. Since we have access to all these passive DNS sources, it's possible to identify changes soon after they happen. This is what the new watching feature does. 

If you choose to watch infrastructure inside PassiveTotal, you are essentially asking to be notified on any changes to the passive DNS information. For IP addresses, we alert you on any new domains observed within our passive DNS sources. And for domains, we do the same, but with IP addresses and also let you know if the last resolved IP address has changed. 

When we first rolled this feature out last week, we noticed some issues when emailing alerts out to users. Not only did some of the messages end up in spam, but they were also filling up our inboxes with more tiny bits of information that served no purpose in our email. The PassiveTotal platform was built to have all the useful information in one place and thus we decided to push our notifications directly within PassiveTotal. Of course, some people still want email, so we gave each user the option of local, email or both mediums for alerting. 

Since our release earlier this week, we have gotten some great feedback and bug reports. While dealing with those, we also threw up some documentation for our API (https://www.passivetotal.org/api) and whipped up a helper library like we had before. As an added bonus, we also crafted a very crude, yet effective command line tool for those who didn't want to use the web interface.

You can find the helper client, example usage and command line tools at the following gist: https://gist.github.com/9b/11379392. Curious of the command line output? Well, it looks something like this assuming you don't want the raw JSON.

PassiveTotal is back and better than before. During the first few months of operations, Steve and I learned a lot about how analysts interacted with their data and what features they really wanted. We took all the feedback, capitalized on our earlier failures and re-built a new system from scratch to better cater to threat research. Though some of the changes are subtle, we think you will enjoy working within the platform just as much as we do.

Here are some of the major updates:

No more search quotas

Users can now backup and download their own data

Minor layout changes to all views

Watchlist now alerts you of changes to a record

Granular control of sources

Better classification of sinkholes and dynamic dns providers

Statistics on domains and IPs

Predictions based on passive DNS information