12:00 PM
Dave Piscitello
Dave Piscitello
Connect Directly

Monitor DNS Traffic & You Just Might Catch A RAT

Criminals will exploit any Internet service or protocol when given the opportunity. Here are six signs of suspicious activity to watch for in the DNS.

IT admins have the thankless task of having to watchdog devices, hosts, and networks for signs of malicious activity. Host intrusion detection and endpoint protection may be “must have” security measures for many organizations, but there’s nothing like monitoring DNS traffic if you’re looking to expose a RAT, rootkit, APT, or other malware that’s taken residence on your networks.

Why DNS?
Criminals will exploit any Internet service or protocol when given the opportunity, and this includes the DNS. They register disposable domain names for spam campaigns and botnet administration, and they use compromised domains to host phishing or malware downloads. They inject malicious queries to exploit name servers or disrupt name resolution. They inject crafty responses to poison resolver caches or amplify denial of service attacks. They even use DNS as a covert channel for data exfiltration or malware updates.

You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.

What are you looking for?
DNS query composition or traffic patterns offer signs that suspicious or malicious activity is emanating from your networks. For example:

DNS queries from spoofed source addresses or addresses that you have not authorized for use but are not egress filtering especially when observed in conjunction with unusually high DNS query volume or DNS queries that use TCP rather than UDP) may indicate that infected hosts on your network are engaged in a DDoS attack.

Malformed DNS queries may be symptomatic of a vulnerability exploitation attack against the name server or resolver identified by the destination IP address. They may also indicate that you have incorrectly operating devices on your network. The causes for problems of these kinds may be malware or unsuccessful attempts to remove malware.

DNS queries that request name resolution of known malicious domains or names with characteristics common to domain generation algorithms (DGA) associated with criminal botnets and queries to resolvers that you did not authorize for use in many cases are dead giveaway indicators of infected hosts on your networks.

DNS responses also offer signs that suspicious or malicious data are being delivered to hosts on your networks. For example,length or composition characteristics of DNS responses can reveal malicious or criminal intent. For example, the response messages are abnormally large (amplification attack) or the Answer or Additional Sections of the response message are suspicious (cache poisoning, covert channel).

DNS responses for your own portfolio of domains that are resolving to IP addresses that are different from what you published in your authoritative zones, responses from name servers that you did not authorize to host your zone, and positive responses to names in your zones that should resolve to name error (NXDOMAIN) may indicate a domain name or registration account hijacking or DNS response modification.

DNS responses from suspicious IP addresses, e.g., addresses from IP blocks allocated to broadband access network, DNS traffic appearing on non standard port, unusually high number of response messages that resolve domains with short Times to Live (TTL) or unusually high number of responses containing "name error" (NXDOMAIN) are often indicators of botnet-controlled, infected hosts running malware.

Various forms of DNS monitoring can expose these threats, many in real time. In my next blog, I'll look at how you can implement mechanisms to detect these at Internet firewalls, using network intrusion systems, traffic analysis, or log data.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years. He left private sector consulting and his company, Core Competence, to provide security and ICT coordination for security and policy ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:21:34 PM
Re: Know Your Enemy
Very interesting post, DNS is the key to discovering your network. If hackers can get to the DNS servers perform a transfer then you are had. This is the reason DNS is not allowed in controlled environments such as DMZ's. The specific tool set you mentioned (Kali-Linux) is a good one indeed.
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:09:26 PM
Re: Know Your Enemy
Very good points Christian!  I would like to add that Nagios provides a plugin for DNS monitoring as well.
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/12/2014 | 1:00:52 PM
Know Your Enemy
I try not to name specific tools unless I'm doing an analysis, but for Enterprise-level network monitoring I rather prefer OpenNMS network management application platform and Nagios IT monitoring with its solid DNS monitoring solution. But I have to say to all network engineers, also grab a copy of a penetration testing distribution like Kali Linux and understand what cyber criminals are looking for, how they search for it, and what the raw data and DNS traffic looks like. With highly configurable DNS monitoring tools, you can start tailoring the monitoring to specific types of traffic (if the tool isn't already - Nagios is pretty hefty in that regard) based upon your research.  With tips like the ones in this article, some first-hand experience and solid tools, you will maintain a more secure network environment. 
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio