Blog , 10 Apr 2017

5 Out Of The Box Ways To Monitor DNS Traffic

Tobias Knecht,

Founder and CEO, Abusix

Botnet-assisted Distributed Denial of Service (DDoS) attacks are one of the most common forms of network abuse. In October 2016, much of America’s internet was brought to a standstill by a cyber attack that used a new weapon called the Mirai botnet. According to experts, this was the largest of its kind in history. The botnet attacked the servers of Dyn – a company that controls much of the Internet’s domain name system (DNS) infrastructure.

The outage was the result of a DDoS attack, where a network of infected computers – a botnet – are used to bombard a server with traffic until it crumbles under the strain. To protect your service provider from similar attacks, your abuse desk team needs to monitor your DNS traffic. Here are 5 ways you can do this:

Defining The Rules Of Your Firewalls

Your firewalls should allow you to define a rule to prevent DNS queries from IP addresses outside your allocated numbers space. This will prevent your name resolver from being exploited as an open reflector in DDoS attacks. Your abuse team can inspect your DNS traffic for suspicious byte patterns to block name server software exploit attacks. When a DDoS attack is detected, your firewalls can shut down specific flows of traffic-related to the attack, but they cannot perform anti-spoofing on a packet-by-packet basis to separate good or legitimate traffic from bad.

See also: 14 Best Practices for Adequately Protecting Your Network

Intrusion Detection Systems

Intrusion detection systems allow you to create rules to report DNS requests from unauthorized clients. These can be used to identify unusual network traffic patterns like those produced by bots attacking other computers. If some computers have been turned into bots, an intrusion detection system is effective at finding the activity in your network and identifying which computers are affected. An intrusion detection system can only be used to detect DDoS attacks; unfortunately, they do nothing to mitigate the effects of the attack.

Traffic Analyzers

Your abuse team can use traffic analyzers to identify malware traffic. To do this, capture and filter DNS traffic between your customers and your resolver and save this to a PCAP file. Then create scripts to search the PCAP file for any suspicious activities.

Passive DNS Replication

Collecting and analyzing passive DNS data can help identify malware. Florian Weimer invented passive DNS replication in 2004 for specifically this purpose. To do this, recursive name servers log the responses they receive from other name servers and replicate this logged data in a central database for analysis and archiving. Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet and can be useful for identifying malware domains, especially where malware uses algorithmically generated domain names.

See also: The Rules Of The Game When It Comes To Network Abuse

Logging From Your Resolver

Your abuse team can use the logs of your local resolvers to collect DNS server logs and investigate them for any malicious domains. There are millions of DNS resolvers, but many of these are misconfigured and can be used in a DDoS DNS amplification attack. To detect whether your DNS resolvers are being abused, you can monitor the logs of the DNS server to look for malicious hosts making up a large number of queries in a short period of time, or requesting the same name with a large DNS response multiple times over from the same IP.

How To Remediate Network Abuse

Network abuse is on the increase. Verisign reported more attacks in Q4 2015 than in any quarter since it started reporting in 2014. In addition, attacks are becoming more complex. The availability of new tools means even relatively basic hackers can launch sophisticated attacks against service providers with experienced network abuse teams.

There are countless ways your abuse team can detect network abuse. However, once your abuse teams have detected the malicious activity, they need to share it with the responsible customer and work with them to remediate it. Products like AbuseHQ from Abusix help with the detection and analysis process by integrating into existing network infrastructures to provide the insights and data necessary to pick up and shut down network abuse at its source.

To find out how AbuseHQ can help your abuse desk track and monitor DNS security threats, talk to our team.

Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Get in touch

Talk to us

Do you want to remove your IP/domain from one of our blocklists?
Please use our lookup-service and follow the instructions there in order to get that resolved.