August 5, 2016 By David Strom 3 min read

Most of us know how the Domain Name System (DNS) is a critical piece of our network infrastructure and have at least one tool to keep DNS requests current and clear of potential abuses.

Previous blog posts here concerning DNS and malware have focused on how malware can introduce errors in BIND, the most prominent DNS software, and cause it to crash. Others have outlined how to find evidence of infections across your network by tracking malware to particular domains.

Sometimes a little common sense and knowledge of your system log files and the DNS requests contained therein can go a long way toward understanding when your enterprise network infrastructure has been breached. This is one such tale, care of the security researchers behind this post on Cisco’s Talos blog.

Inbound Versus Outbound Traffic

Let’s start with the moral of the story first, because then you will understand the context. Most IT managers are interested in inbound, rather than outbound, traffic, for good reasons. Inbound traffic can contain exploits, infections or indications of potential compromise. But you also need to look at what is leaving your network, because that traffic can contain potential issues.

This was the case with Wekby, an exploit discovered earlier this year that used the outbound DNS traffic to communicate with its command and control server. Other malware products are “exfiltrating data by using DNS tunneling tools to encode data and utilize outbound port 53 traffic to fly under the radar of many filtering tools,” Dark Reading reported.

Making Mental Models

Because you probably don’t monitor outbound traffic on this port, the aim of this post is to give you a reason to start looking and an understanding of what normal outbound DNS requests look like. That way, when you actually find something else, you will be able to act on it.

You can use any feature of DNS requests, such as the length of the domain name or the number of subdomains, to construct models of your network’s expected behavior, through which you can observe more closely.

You don’t need a fancy tool or some other expensive piece of networking gear to do this. You do need to first understand your own mental model of your network traffic so that you are in the right mindset when you come across something that isn’t quite right or that doesn’t fit this model. As the Talos researchers said, “We compare our expectations of normality with our observations, if the two don’t match we want to know why.”

Abnormal DNS Requests

So what would be an example of an abnormal DNS request? How about seeing hundreds of subdomains, or the case of very long (100-plus characters) subdomain names? Both could be an indication that something is amiss.

The researchers calculate the frequency of the number of characters in subdomain names and found that most contain just a few letters (like “www” or “server1”) and, in most cases, much fewer than ten letters in the name. So when you come across these extra long subdomains, you can immediately focus your attention on them and check them out.

Another clue: Some of these extra long subdomains are only accessed a single time. Again, this is suspicious. What is actually happening is that the malware is using the subdomain name to encode data that it is trying to send to its command-and-control server. There isn’t any actual host with that name, which is why it is accessed only once.

Get Smarter

Granted, just because a subdomain name is long doesn’t necessarily mean it is being run by a bad actor. But you should get smarter about finding the fingerprints from these attacks and start monitoring your DNS logs. As you can see, it is easy to use some simple techniques to make sure that an attacker hasn’t broken into your network.

More from Mainframe

How dangerous is the cyberattack risk to transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-code is easy, but is it secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today