Malicious DNS Traffic

June 26, 2023

By providing a comprehensive understanding of malicious DNS traffic, this article serves as a valuable resource for anyone seeking to understand the evolving nature of cyber threats and safeguard their networks from potential attacks. Malicious DNS Traffic examines how cybercriminals use this technique to redirect users to fake websites, steal personal information, and launch automated attacks.

DNS traffic can be a hidden attack vector that many organizations neglect to examine. Initially designed for name resolution, DNS is now often utilized as an avenue for data exfiltration and malware exchanges.

According to a recent study by Akamai, 10%-16% of network devices experienced DNS requests originating from C2 servers associated with known botnets and other malware threats.

Spam

Spam is a technique used to send unsolicited emails, which has become one of the primary methods malicious actors use to spread malware and other threats. Additionally, spam allows them to gain access to network infrastructure that could be exploited for further criminal activities.

Domain registration is a popular method used by spammers to launch multiple campaigns simultaneously. They typically register the domains in bulk, enabling them to launch multiple schemes simultaneously.

Once a domain is registered, spammers often configure zone files and fill the associated resource records in DNS manually or using third-party software.

Therefore, it is critical to detect spam before it sends email. In order to do this, the detection system must be able to analyze DNS data to determine whether a domain is new or not and classify it quickly enough for quick decision-making.

In this paper, we propose a method for detecting spam domains early in their lifecycle by performing just one DNS query and refining classification by monitoring more traffic to the TXT record containing the domain. Our model incorporates both lexical-based features as well as DNS statistical indicators along with third party features to enhance its classification accuracy.

This method can be implemented on any Internet-connected computer and is especially beneficial in data centers, universities, or large end user networks that want to prevent malicious DNS traffic. However, it should not be used as a replacement for DNS blacklists which block IP addresses and sites known to be infected with spam.

Phishing

Phishing is a type of cybercrime that uses social engineering techniques to steal personal or business information from victims. Malicious emails may appear to come from familiar contacts or organizations, and often contain file attachments with malware installed on the user’s device or direct them to a fake website that captures passwords, account IDs and credit card details.

Phishing campaigns involve multiple emails designed to trick recipients into visiting a fake website or clicking on links within the email. They may also contain malicious attachments that look like valid files, such as funny cat videos, eBooks or PDFs.

DNS hijacking and spoofing is a form of phishing that involves manipulating the DNS to redirect web traffic to an impostor site. The malicious actor sets up a DNS server filled with records for popular sites they believe their victims will visit, such as banking institutions, financial institutions, insurance companies, health care organizations and government websites.

Phony sites mimic the official version of these websites, making it simpler for their victims to use them and provide personal information. This strategy has been employed for years and remains one of the most efficient ways to infect a network with malicious software.

Akamai reported that the number of phishing-related DNS requests remained relatively consistent throughout the year, but there was an uptick during August and September due to a large phishing campaign which saw a 102 percentage point shift between July and September.

Phishing attacks can be quickly detected and avoided if users’ devices have up-to-date security software. Some security tools even check whether a site’s security certificate is valid as well as look for URL matches.

Malware

Malware is software used by malicious actors to infiltrate your computer or network. It can be employed for various purposes, such as network reconnaissance, malware downloads, command and control (C&C) communications, or data transfers out of your network.

In most cases, attackers will attempt to access your device without you knowing. They then use this information for malicious purposes like spreading malware or stealing personal data.

One of the most frequent methods malware attacks your computer is by poisoning DNS. This occurs by altering your local network’s DNS servers so they return incorrect IP addresses for any site you request.

This can manifest in various ways, such as browser redirects to sites you don’t want to visit and strange messages sent to contacts. Running a security tool that scans all of your network traffic can help identify this type of malware.

Bad actors may use DNS tunneling to circumvent firewalls and other security systems. This involves encoding command and control (C&C) messages or small amounts of data into inconspicuous DNS responses and queries.

Network traffic that goes undetected by most is typically slow and undetectable, making it easy for cybercriminals to slip past detection. However, next-generation firewalls and other security tools that employ artificial intelligence deep learning engines can detect and stop this activity in real time.

For effective protection against this threat, implement a DNS filtering solution. This can filter through DNS requests and make it difficult for malicious actors to bypass your firewall. Furthermore, using a DNS monitoring service could help identify abnormal DNS traffic that could be indicative of such attacks.

DDOS

DDoS (Denial-of-service) attacks are malicious attacks in which cybercriminals use a network of connected devices (botnets) to flood a target server with traffic. This can cause the server to stop functioning, slow down, or experience various errors.

Cybercriminals can create malicious DNS traffic by employing tools such as spoofing or DNS cache poisoning. This attack utilizes publicly accessible open DNS servers to flood a victim’s system with fake requests. Open DNS resolvers act as “reflectors,” sending the false DNS responses back to the attacker’s server instead of vice versa, leading to a denial-of-service (DoS) situation.

Attackers typically rely on botnet armies – vast networks of malware-infected computers, routers and Internet of Things (IoT) devices – to launch attacks. These botnets can be utilized for spreading malicious software such as phishing and pharming scams or sending large amounts of fraudulent traffic.

To prevent this from occurring, it is essential to protect your DNS system against known vulnerabilities, such as a flaw in how records are stored in the DNS region. This flaw allows hackers to alter records and redirect malicious traffic towards fraudulent sites.

Additionally, a vulnerability in the DNS amplification and reflection process can be exploited by attackers to flood a victim’s system with large, unsolicited DNS queries. These forged requests may come from individual systems or networks of systems, producing much larger responses than expected for their original inquiries.

This attack can leave the victim’s DNS server unable to handle all incoming traffic, leading to slowdown or even shutdown. This is not ideal for businesses as it disrupts customer experience and impacts revenue.

C&C

C&C (command and control) servers are the tools hackers use to communicate with infected computers. They can send beacons, instruct them on a specific task, and exfiltrate information from compromised systems.

C&C servers issue various commands depending on the malware type; these can range from a simple “Are you still there?” question to data exfiltration instructions and full remote control commands. These communications are sent across networks as messages, beacons and payloads.

Some malicious software employs C&C beaconing to avoid detection by firewalls. This type of communication typically follows a regular schedule (called the beaconing interval), and can be distinguished from normal traffic by the timing of requests.

Security teams can analyze these communications to detect whether an attacker has used a C&C server and what information has been exfiltrated. To do this, logs from various sources, such as network, proxy and endpoint logs, are often collected.

Idealy, logs should be time-synchronized so it’s straightforward to compare different timestamps for C&C communication. Without them, however, building a timeline of the incident and identifying affected hosts will prove challenging.

Another approach for detecting and analyzing C&C traffic is to collect and record full packet captures of infected network traffic. While this requires infrastructure, it can serve as a useful starting point in determining the type and volume of malware-generated traffic.

To protect against malicious DNS traffic, the best approach is to scan and filter all of your traffic – both inbound and outbound. This can be accomplished using a DNS filtering solution such as DNSFilter that acts as the gatekeeper for all of your DNS requests.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us