Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/12/2014
12:00 PM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
0%
100%

Monitor DNS Traffic & You Just Might Catch A RAT

Criminals will exploit any Internet service or protocol when given the opportunity. Here are six signs of suspicious activity to watch for in the DNS.

IT admins have the thankless task of having to watchdog devices, hosts, and networks for signs of malicious activity. Host intrusion detection and endpoint protection may be “must have” security measures for many organizations, but there’s nothing like monitoring DNS traffic if you’re looking to expose a RAT, rootkit, APT, or other malware that’s taken residence on your networks.

Why DNS?
Criminals will exploit any Internet service or protocol when given the opportunity, and this includes the DNS. They register disposable domain names for spam campaigns and botnet administration, and they use compromised domains to host phishing or malware downloads. They inject malicious queries to exploit name servers or disrupt name resolution. They inject crafty responses to poison resolver caches or amplify denial of service attacks. They even use DNS as a covert channel for data exfiltration or malware updates.

You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.

What are you looking for?
DNS query composition or traffic patterns offer signs that suspicious or malicious activity is emanating from your networks. For example:

DNS queries from spoofed source addresses or addresses that you have not authorized for use but are not egress filtering especially when observed in conjunction with unusually high DNS query volume or DNS queries that use TCP rather than UDP) may indicate that infected hosts on your network are engaged in a DDoS attack.

Malformed DNS queries may be symptomatic of a vulnerability exploitation attack against the name server or resolver identified by the destination IP address. They may also indicate that you have incorrectly operating devices on your network. The causes for problems of these kinds may be malware or unsuccessful attempts to remove malware.

DNS queries that request name resolution of known malicious domains or names with characteristics common to domain generation algorithms (DGA) associated with criminal botnets and queries to resolvers that you did not authorize for use in many cases are dead giveaway indicators of infected hosts on your networks.

DNS responses also offer signs that suspicious or malicious data are being delivered to hosts on your networks. For example,length or composition characteristics of DNS responses can reveal malicious or criminal intent. For example, the response messages are abnormally large (amplification attack) or the Answer or Additional Sections of the response message are suspicious (cache poisoning, covert channel).

DNS responses for your own portfolio of domains that are resolving to IP addresses that are different from what you published in your authoritative zones, responses from name servers that you did not authorize to host your zone, and positive responses to names in your zones that should resolve to name error (NXDOMAIN) may indicate a domain name or registration account hijacking or DNS response modification.

DNS responses from suspicious IP addresses, e.g., addresses from IP blocks allocated to broadband access network, DNS traffic appearing on non standard port, unusually high number of response messages that resolve domains with short Times to Live (TTL) or unusually high number of responses containing "name error" (NXDOMAIN) are often indicators of botnet-controlled, infected hosts running malware.

Various forms of DNS monitoring can expose these threats, many in real time. In my next blog, I'll look at how you can implement mechanisms to detect these at Internet firewalls, using network intrusion systems, traffic analysis, or log data.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years. He left private sector consulting and his company, Core Competence, to provide security and ICT coordination for security and policy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:21:34 PM
Re: Know Your Enemy
Very interesting post, DNS is the key to discovering your network. If hackers can get to the DNS servers perform a transfer then you are had. This is the reason DNS is not allowed in controlled environments such as DMZ's. The specific tool set you mentioned (Kali-Linux) is a good one indeed.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:09:26 PM
Re: Know Your Enemy
Very good points Christian!  I would like to add that Nagios provides a plugin for DNS monitoring as well.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/12/2014 | 1:00:52 PM
Know Your Enemy
I try not to name specific tools unless I'm doing an analysis, but for Enterprise-level network monitoring I rather prefer OpenNMS network management application platform and Nagios IT monitoring with its solid DNS monitoring solution. But I have to say to all network engineers, also grab a copy of a penetration testing distribution like Kali Linux and understand what cyber criminals are looking for, how they search for it, and what the raw data and DNS traffic looks like. With highly configurable DNS monitoring tools, you can start tailoring the monitoring to specific types of traffic (if the tool isn't already - Nagios is pretty hefty in that regard) based upon your research.  With tips like the ones in this article, some first-hand experience and solid tools, you will maintain a more secure network environment. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...