By providing a comprehensive understanding of malicious DNS traffic, this article serves as a valuable resource for anyone seeking to understand the evolving nature of cyber threats and safeguard their networks from potential attacks. Malicious DNS Traffic examines how cybercriminals use this technique to redirect users to fake websites, steal personal information, and launch automated attacks.
DNS traffic can be a hidden attack vector that many organizations neglect to examine. Initially designed for name resolution, DNS is now often utilized as an avenue for data exfiltration and malware exchanges.
According to a recent study by Akamai, 10%-16% of network devices experienced DNS requests originating from C2 servers associated with known botnets and other malware threats.
Spam
Spam is a technique used to send unsolicited emails, which has become one of the primary methods malicious actors use to spread malware and other threats. Additionally, spam allows them to gain access to network infrastructure that could be exploited for further criminal activities.
Domain registration is a popular method used by spammers to launch multiple campaigns simultaneously. They typically register the domains in bulk, enabling them to launch multiple schemes simultaneously.
Once a domain is registered, spammers often configure zone files and fill the associated resource records in DNS manually or using third-party software.
Therefore, it is critical to detect spam before it sends email. In order to do this, the detection system must be able to analyze DNS data to determine whether a domain is new or not and classify it quickly enough for quick decision-making.
In this paper, we propose a method for detecting spam domains early in their lifecycle by performing just one DNS query and refining classification by monitoring more traffic to the TXT record containing the domain. Our model incorporates both lexical-based features as well as DNS statistical indicators along with third party features to enhance its classification accuracy.
This method can be implemented on any Internet-connected computer and is especially beneficial in data centers, universities, or large end user networks that want to prevent malicious DNS traffic. However, it should not be used as a replacement for DNS blacklists which block IP addresses and sites known to be infected with spam.
Phishing
Phishing is a type of cybercrime that uses social engineering techniques to steal personal or business information from victims. Malicious emails may appear to come from familiar contacts or organizations, and often contain file attachments with malware installed on the user’s device or direct them to a fake website that captures passwords, account IDs and credit card details.
Phishing campaigns involve multiple emails designed to trick recipients into visiting a fake website or clicking on links within the email. They may also contain malicious attachments that look like valid files, such as funny cat videos, eBooks or PDFs.
DNS hijacking and spoofing is a form of phishing that involves manipulating the DNS to redirect web traffic to an impostor site. The malicious actor sets up a DNS server filled with records for popular sites they believe their victims will visit, such as banking institutions, financial institutions, insurance companies, health care organizations and government websites.
Phony sites mimic the official version of these websites, making it simpler for their victims to use them and provide personal information. This strategy has been employed for years and remains one of the most efficient ways to infect a network with malicious software.
Akamai reported that the number of phishing-related DNS requests remained relatively consistent throughout the year, but there was an uptick during August and September due to a large phishing campaign which saw a 102 percentage point shift between July and September.
Phishing attacks can be quickly detected and avoided if users’ devices have up-to-date security software. Some security tools even check whether a site’s security certificate is valid as well as look for URL matches.
Malware
Malware is software used by malicious actors to infiltrate your computer or network. It can be employed for various purposes, such as network reconnaissance, malware downloads, command and control (C&C) communications, or data transfers out of your network.
In most cases, attackers will attempt to access your device without you knowing. They then use this information for malicious purposes like spreading malware or stealing personal data.
One of the most frequent methods malware attacks your computer is by poisoning DNS. This occurs by altering your local network’s DNS servers so they return incorrect IP addresses for any site you request.
This can manifest in various ways, such as browser redirects to sites you don’t want to visit and strange messages sent to contacts. Running a security tool that scans all of your network traffic can help identify this type of malware.
Bad actors may use DNS tunneling to circumvent firewalls and other security systems. This involves encoding command and control (C&C) messages or small amounts of data into inconspicuous DNS responses and queries.
Network traffic that goes undetected by most is typically slow and undetectable, making it easy for cybercriminals to slip past detection. However, next-generation firewalls and other security tools that employ artificial intelligence deep learning engines can detect and stop this activity in real time.
For effective protection against this threat, implement a DNS filtering solution. This can filter through DNS requests and make it difficult for malicious actors to bypass your firewall. Furthermore, using a DNS monitoring service could help identify abnormal DNS traffic that could be indicative of such attacks.
DDOS
DDoS (Denial-of-service) attacks are malicious attacks in which cybercriminals use a network of connected devices (botnets) to flood a target server with traffic. This can cause the server to stop functioning, slow down, or experience various errors.
Cybercriminals can create malicious DNS traffic by employing tools such as spoofing or DNS cache poisoning. This attack utilizes publicly accessible open DNS servers to flood a victim’s system with fake requests. Open DNS resolvers act as “reflectors,” sending the false DNS responses back to the attacker’s server instead of vice versa, leading to a denial-of-service (DoS) situation.
Attackers typically rely on botnet armies – vast networks of malware-infected computers, routers and Internet of Things (IoT) devices – to launch attacks. These botnets can be utilized for spreading malicious software such as phishing and pharming scams or sending large amounts of fraudulent traffic.
To prevent this from occurring, it is essential to protect your DNS system against known vulnerabilities, such as a flaw in how records are stored in the DNS region. This flaw allows hackers to alter records and redirect malicious traffic towards fraudulent sites.
Additionally, a vulnerability in the DNS amplification and reflection process can be exploited by attackers to flood a victim’s system with large, unsolicited DNS queries. These forged requests may come from individual systems or networks of systems, producing much larger responses than expected for their original inquiries.
This attack can leave the victim’s DNS server unable to handle all incoming traffic, leading to slowdown or even shutdown. This is not ideal for businesses as it disrupts customer experience and impacts revenue.
C&C
C&C (command and control) servers are the tools hackers use to communicate with infected computers. They can send beacons, instruct them on a specific task, and exfiltrate information from compromised systems.
C&C servers issue various commands depending on the malware type; these can range from a simple “Are you still there?” question to data exfiltration instructions and full remote control commands. These communications are sent across networks as messages, beacons and payloads.
Some malicious software employs C&C beaconing to avoid detection by firewalls. This type of communication typically follows a regular schedule (called the beaconing interval), and can be distinguished from normal traffic by the timing of requests.
Security teams can analyze these communications to detect whether an attacker has used a C&C server and what information has been exfiltrated. To do this, logs from various sources, such as network, proxy and endpoint logs, are often collected.
Idealy, logs should be time-synchronized so it’s straightforward to compare different timestamps for C&C communication. Without them, however, building a timeline of the incident and identifying affected hosts will prove challenging.
Another approach for detecting and analyzing C&C traffic is to collect and record full packet captures of infected network traffic. While this requires infrastructure, it can serve as a useful starting point in determining the type and volume of malware-generated traffic.
To protect against malicious DNS traffic, the best approach is to scan and filter all of your traffic – both inbound and outbound. This can be accomplished using a DNS filtering solution such as DNSFilter that acts as the gatekeeper for all of your DNS requests.
