Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Ways to Keep DNS Safe
Oldest First  |  Newest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/10/2018 | 4:02:11 PM
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole
I read a great paper titled "Efficient Malicious Packet Capture Through Advanced DNS Sinkhole" (Hyun Mi Jung, Haeng Gon Lee, Jang Won Choi). It caught my eye by stating in the Abstract that among the current botnet countermeasures, "DNS sinkhole is known as the best practice in the world."

Like anything that is based on the collection and analysis of data, however, it seems that, to be most effective, one might have to get hardware to cope with the overhead, which would go against the idea in this article that you won't have to run out and start spending money for hardware. That overhead comes from critical elements in this model, though, that make it ideal and useful to both the whole InfoSec community and organizations looking to be more proactive in their security planning.

In brief, as described by this paper, you'd have a combination of systems that monitor, analyze and detect, then re-direct as necessary. So, if an organization has a PC that is infected by a malicious bot in a target security control agency AND initializes a connection to a command and control (C&C) system (the malicious controller of the bot), that traffic is detected as part of the monitored traffic at the target organization, and then redirected to a DNS sinkhole server rather than the real DNS server. The catch is the incoming traffic has to be recognized as part of a malicious domain (or identified as one realtime with AI support and access to a database of profiles such as this project collects). When those queries go to the sinkhole server {in this paper's model, at least), they are routed through the Korea Research Environment Open NETwork (KREONET) and the target organization's Threat Management System (TMS). The point of this is to collect all the traffic from the zombie PC with the bot into a log to better understand its purpose, collect intel on the bot and develop a profile of the attacker.

Sinkholes have been used to help thwart WannaCry and Avalanche threats. I'm not sure how sophisticated those sinkholes were, but as defined in this paper, probably not every organization could implement such an architecture. But as malicious bots, whether stationed on remote web servers or installed via malware on PCs, become rampant, this model of redirection and analysis, and ideally data sharing among the InfoSec community, is more crucial than ever to keep threats minimized and to better arm the InfoSec community as a whole.
davidredekop
50%
50%
davidredekop,
User Rank: Apprentice
7/12/2018 | 10:56:21 PM
What if everybody did it
Curtis, I always enjoy watching you on TWIET, thanks for this article. Well thought out!

Your tweet asked "What would you add to the list?" on your tweet. I'd add that a very simple but powerful technique is to force DNS to an on-premise service. It's technically hijacking, but with a positive outcome. You don't allow any endpoints to make Internet-bound DNS queries but instead force them to use local DNS server(s). The designated servers are the only ones able to make recursive or upstream queries.

This has the simple effect of *preventing* participation in any DNS reflection attack. We do this as a basic standard at www.adamnet.works for all of our products.

By the way, the same thing should be done for NTP since it's also a very common protocol used by endpoints and abused for UDP reflection attacks.

Hijacking NTP and DNS, if it were done as a basic standard on Internet exit points, would disable all future reflection attacks attempting to use those protocols and their respective public servers.


Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.