Uncovering Malware in Hyper-scale DNS Traffic

Telesoft Telesoft

Cyber criminals have been using DNS for malicious purposes successfully for years,  malware such as DNSChanger uses DNS to target high value data held by ISP’s, CSP’s, CDN’s, Governments and Enterprise. Other prominent malware targeting DNS such as Trojan, Backdoor and other remote access tools seek to take advantage of a DNS’s Command and Control (C & C) servers, which is then used in order to communicate with attackers who are trying to infiltrate your network. This is key to understanding the potential severity of a DNS attack, this isn’t someone wanting to hold up business for a day or two, the attackers using DNS are playing the long game, ultimately they want to appropriate sensitive information and gain access to your network for an extended amount of time.

Traditional methods of attacks are generally screened at the perimeter by an Intrusions Detection Systems (IDS) and/or a firewall, unfortunately DNS does not face the same scrutiny as normal network traffic and would be attackers know this. Generally DNS packets are always permitted to move through the network unhindered, as it is a core function (resolving a domain name to the corresponding IP address) and has previously been seen as a relatively low security risk. Those who use DNS for illegal gains, rely on the fact that DNS is poorly or not often (sampled traffic analysis) monitored, allowing malicious activity to take place (data exfiltration or tunnelling of any internet protocol (IP) traffic).

How a Domain Name System (DNS) works

To counter this threat, you should be extending your network visibility by using tools like the Telesoft 200Gbps FlowProbe to monitor DNS traffic, other application layer 7 protocols and NPM (Network Performance Monitoring) statistics. Full DNS visibility will allow you to support various auditing and operational use-cases, however in this post we are talking about how DNS can be used to enhance security in your network. Now that I have showed you the why, I want to take you through the how.

Monitoring DNS using the Telesoft 200Gbps FlowProbe

As with all Collectors and SIEMs (Security Information and Event Management), their usefulness is determined by the data they are being sent. In order for DNS to be properly monitored and anomalies detected at scale, collectors and SIEMs need concise, reliable un-sampled data passed up to them.  I have broken down how the FlowProbe’s DNS monitoring feature provides this function.

  • Packets arrive at the FlowProbe, and are passed into the parser module. This removes and records in Meta data the header information e.g. ipv4/ipv6 info, VLANS, MPLS etc., and any tunnel information.
  • Packets which are detected on the standard DNS ports (and other configurable ones) are sent to the DNS decode engine.
  • The DNS data (hostname, and multiple IP addresses with ttl fields) is extracted from the packet and added to the Meta data. This is then sent on to the metering process where the IPFIX flow record is generated, including the additional DNS data.

FlowProbe L7 analysis dashboard

  • The Flow record is transmitted to the collector(s) or SIEM(s) using the DNS template.
  • Users can examine the DNS flow records to look for abnormal behaviour e.g. are there flows with abnormal amounts of data in one direction (our flow records are bidirectional so you see the data for each leg in the same flow)? Is there a spike in the number of DNS flows? Do the hostnames look valid?

Tools like the FlowProbe which are able to extend network visibility at scale in to Layer 7 monitoring will greatly increase the detection of malware in your network. Ensuring that your IT administrators can effectively defend, troubleshoot and maintain day to day management of your network. If you are interested in the FlowProbe and would like more information about its DNS monitoring feature or any other information then check it out here.

Related products