SAN FRANCISCO — If the domain name system is one of the fundamental enablers of the internet — and it is — it should come as no surprise that malicious actors benefit from DNS as much as legitimate users. And while DNS abuse has been going on for years, new developments like international domain names, increased use of IPv6 and the internet of things are introducing even more threat vectors.
While malicious use of DNS is nothing new, passive DNS for threat intelligence is one important tool that defenders can depend on to help defeat attacks in progress, or even before they happen, according to Merike Kaeo, CTO of Farsight Security in San Mateo, Calif. She presented a nearly full session, titled “Early Detection of Malicious Activity — How Well Do You Know Your DNS?” at RSA Conference (RSAC) 2018.
“Over the last, probably, 10 years, the criminal underground has found that the domain name space is a very useful space for them for criminal campaigns,” Kaeo told SearchSecurity. “There are a lot of domain names registered that are specifically only used for malicious activities,” including for phishing sites, ransomware-payment webpages, malware distribution sites, counterfeit goods sites, illegal pharmaceutical or “pirate bay” sites. But that’s not all, according to Kaeo.
“The domain names are part of criminal DNS infrastructures themselves, because the criminal underground has also created networks now where they can have these million botnets and command-and-control center that controls all of the malicious infrastructure.”
On top of all that, malicious actors use a variety of techniques to build and hide command-and-control networks for botnets. While that may be bad enough, in recent years, cybercriminals have continued to find new ways to abuse DNS.
New threats and old with DNS
One of the most obvious types of new DNS abuse was enabled by the introduction of international domain names (IDNs), which are capable of using characters from international character sets. According to Kaeo, using characters from different alphabets makes it possible to craft malicious domain names that are indistinguishable from names used by legitimate companies and organizations.
For example, an IDN may appear to be identical to a brand name, like apple.com, but malicious actors can use a Cyrillic character set to produce a domain that appears identical, even under close visual inspection. Using passive DNS techniques, Farsight researchers observed over 116,000 domain names attempting to impersonate 125 brand names over the course of three months, including some live phishing sites, proving that IDN impersonation is both real and being actively exploited.
IPv6 has also given attackers a new tool for DNS abuse. The far larger pool of IPv6 addresses, along with the lack of correlation between IPv4 and IPv6 addresses used for malicious domain names, has given malicious actors new ways to abuse DNS. And as the internet of things continues to grow, IPv6 support continues to grow to support the far greater numbers of devices that need unique IP addresses to communicate.
Defending against DNS abuse
Passive DNS is a technique for collecting, indexing and storing domain name data over time, and it has proven useful for identifying DNS attacks by linking domain names with IP addresses and giving the ability to forensically link malicious domains and malicious IP addresses. Domain names being used for different types of attacks generally exhibit certain properties; for example, malicious domains are often moved rapidly from one IP address to another to prevent detection.
IDNs can also be recognized through the use of passive DNS, as can attempts to abuse DNS using IPv6 by linking the IP addresses with the domains that shift from one to another.
Passive DNS techniques developed by Farsight and others can even give organizations the ability to thwart DNS abuse before it happens. This is done by monitoring domain registrations for abusive techniques, like registering counterfeit IDNs, as well as domains generated by domain-generation algorithms (DGAs) that are used to create large volumes of malicious domains for use by botnet command-and-control networks.
Kaeo explained that DGAs “are algorithms that can create hundreds or thousands of domains per second. So, just a huge number of domains that sometimes are used for specifically criminal activity, either for email spam or for phishing campaigns. And why they create so many domains is because, if one domain is found to be part of this malicious activity, then they can very quickly change to a different domain name. If an authoritative server has a specific IP address that resolved to a certain name, then they can very quickly have it resolve to another name and so continue with their scam campaigns.”
The DGAs are used to create potential domain names that attackers use for issuing botnet commands, but only a small number of those domains ever need to be registered as the bots. Passive DNS monitoring can alert defenders by flagging failed DNS responses as bots attempt to connect to a valid command-and-control domain.
Kaeo suggested several steps for RSAC attendees to take to help secure their DNS infrastructures, starting with identifying who in the organization is responsible for DNS. From there, the next step is to assess the DNS infrastructure, including doing a full inventory of all the domains controlled by the organization and locking down registrations with multifactor authentication to protect them from being hijacked. The inventory should also include building a baseline understanding of what DNS traffic should look like. So, when something unusual happens, it will be recognized.
The end goal for defenders, according to Kaeo, is to actively manage DNS on the network by implementing techniques for detecting and mitigating DNS abuse by malicious actors attempting to hijack domains, exfiltrate data over DNS messages or run DNS-based distributed denial-of-service attacks.