Attacks/Breaches
6/12/2014
12:00 PM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Monitor DNS Traffic & You Just Might Catch A RAT

Criminals will exploit any Internet service or protocol when given the opportunity. Here are six signs of suspicious activity to watch for in the DNS.

IT admins have the thankless task of having to watchdog devices, hosts, and networks for signs of malicious activity. Host intrusion detection and endpoint protection may be “must have” security measures for many organizations, but there’s nothing like monitoring DNS traffic if you’re looking to expose a RAT, rootkit, APT, or other malware that’s taken residence on your networks.

Why DNS?
Criminals will exploit any Internet service or protocol when given the opportunity, and this includes the DNS. They register disposable domain names for spam campaigns and botnet administration, and they use compromised domains to host phishing or malware downloads. They inject malicious queries to exploit name servers or disrupt name resolution. They inject crafty responses to poison resolver caches or amplify denial of service attacks. They even use DNS as a covert channel for data exfiltration or malware updates.

You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.

What are you looking for?
DNS query composition or traffic patterns offer signs that suspicious or malicious activity is emanating from your networks. For example:

DNS queries from spoofed source addresses or addresses that you have not authorized for use but are not egress filtering especially when observed in conjunction with unusually high DNS query volume or DNS queries that use TCP rather than UDP) may indicate that infected hosts on your network are engaged in a DDoS attack.

Malformed DNS queries may be symptomatic of a vulnerability exploitation attack against the name server or resolver identified by the destination IP address. They may also indicate that you have incorrectly operating devices on your network. The causes for problems of these kinds may be malware or unsuccessful attempts to remove malware.

DNS queries that request name resolution of known malicious domains or names with characteristics common to domain generation algorithms (DGA) associated with criminal botnets and queries to resolvers that you did not authorize for use in many cases are dead giveaway indicators of infected hosts on your networks.

DNS responses also offer signs that suspicious or malicious data are being delivered to hosts on your networks. For example,length or composition characteristics of DNS responses can reveal malicious or criminal intent. For example, the response messages are abnormally large (amplification attack) or the Answer or Additional Sections of the response message are suspicious (cache poisoning, covert channel).

DNS responses for your own portfolio of domains that are resolving to IP addresses that are different from what you published in your authoritative zones, responses from name servers that you did not authorize to host your zone, and positive responses to names in your zones that should resolve to name error (NXDOMAIN) may indicate a domain name or registration account hijacking or DNS response modification.

DNS responses from suspicious IP addresses, e.g., addresses from IP blocks allocated to broadband access network, DNS traffic appearing on non standard port, unusually high number of response messages that resolve domains with short Times to Live (TTL) or unusually high number of responses containing "name error" (NXDOMAIN) are often indicators of botnet-controlled, infected hosts running malware.

Various forms of DNS monitoring can expose these threats, many in real time. In my next blog, I'll look at how you can implement mechanisms to detect these at Internet firewalls, using network intrusion systems, traffic analysis, or log data.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years. He left private sector consulting and his company, Core Competence, to provide security and ICT coordination for security and policy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:21:34 PM
Re: Know Your Enemy
Very interesting post, DNS is the key to discovering your network. If hackers can get to the DNS servers perform a transfer then you are had. This is the reason DNS is not allowed in controlled environments such as DMZ's. The specific tool set you mentioned (Kali-Linux) is a good one indeed.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:09:26 PM
Re: Know Your Enemy
Very good points Christian!  I would like to add that Nagios provides a plugin for DNS monitoring as well.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2014 | 1:00:52 PM
Know Your Enemy
I try not to name specific tools unless I'm doing an analysis, but for Enterprise-level network monitoring I rather prefer OpenNMS network management application platform and Nagios IT monitoring with its solid DNS monitoring solution. But I have to say to all network engineers, also grab a copy of a penetration testing distribution like Kali Linux and understand what cyber criminals are looking for, how they search for it, and what the raw data and DNS traffic looks like. With highly configurable DNS monitoring tools, you can start tailoring the monitoring to specific types of traffic (if the tool isn't already - Nagios is pretty hefty in that regard) based upon your research.  With tips like the ones in this article, some first-hand experience and solid tools, you will maintain a more secure network environment. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.