Security Market Segment LS
Monday, 11 April 2016 15:31

DNS attacks – what the?


DNS attacks continue to grow – securing the ‘phone book to the internet’ must be a priority.

I interviewed Jesper Andersen, President, and CEO of Infoblox, an industry leader in DDI - DNS, DHCP, and IP address management.

Andersen, a great Dane, has a master’s degree in computer Science from Aalborg University, Denmark - and originally wanted to be a pilot. The interview is paraphrased to avoid overuse of ‘he said’.

Let’s try to explain DDI and its key components.

DNS is domain name system – a decentralised naming system for computers connected to the Internet.

DHCP is Dynamic Host Configuration Protocol - client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.

IPAM is a way to plan, track, and manage the Internet Protocol (IP) address space used in a network. IPAM integrates DNS and DHCP so that each is aware of changes in the other (for instance DNS knowing the IP address taken by a client via DHCP, and updating itself accordingly).

Ever since the internet was first created, cyber criminals have been looking for ways to exploit it for their own ends. Spam emails, viruses, malware, and distributed denial of service (DDoS) attacks have all been used to both cause disruption and generate illicit profits.

Significant progress has been made on protecting users from such activities; there is one area which is still very much a focus for enterprising cyber criminals: the Domain Name System (DNS).

While other forms of attack have been declining in recent years, DNS-related activities have continued to grow. Industry research has found DNS is now the second most common vector for internet exploits, behind HTTP.  Many banks around the world, for example, have found themselves the target of such activities. Sometimes the attacks have been timed to coincide with efforts to transfer money out of accounts. While specific banks are unwilling to discuss particular details, it’s clear they are taking their DNS security very seriously.  At the same time, DNS attacks will continue to evolve.

There are two key issues that every enterprise is concerned about – security and cloud – and these shine a spotlight on DDI.

DNS has become highest attack vector (along with HTTP – another application level attack vector). It started out with DDoS - how to hurt the business if I flooded your website then you may not be able to service your real customers. But now it is about malware like Cryptolocker using DNS to contact the command and control (C&C) server for further instructions. Or it may just want to join a botnet to start spamming.

DDOS attacks are not as bad as things like the cache poisoning of DNS servers, where threat actors take over a server and redirect users to a spoofed website. Customers will then leave login credentials and credit card details which will be stolen.

We can now block that malware via a DNS firewall – no instructions means limiting the harm it can do.

The bad guys get really smart – they know you will look at DNS – so they now use DNS tunnels (like a VPN so it is private), but you don’t want to allow a tunnel on your network you don’t know about. We now cover that.

There are too many security vendors that say they can do everything. Infoblox is a specialised tool and is very good at what it does. It also plays well with all vendors it – APTs, Threat Intelligence, SIEM, Network access controls, Next-Gen endpoint security. And it uses STIX/TAXII/REST and other third party protocols to help paint a complete security picture.

Another issue is that a lot of companies run fairly old DNS servers or software – cybercriminals are using DNS traffic to send stolen information by encoding it in DNS headers. It is very difficult to detect unless you deploy advanced analytics and machine learning that can identify those patterns.

We can do this because we have the control point in the network that allows IP traffic in and out. Traditionally we run this on premise, but it will run in the cloud if you want. There are more and more cloud and hybrid deployments that need DNS protection.

About a year ago we created a baseline DNS threat index - which measures the creation of malicious Domain Name System (DNS) infrastructure. Infoblox researchers found that 92% of newly observed malicious domains in Q4, 2015 were hosted in either the United States or Germany. Simply this means the number of malicious domains is increasing from quarter to quarter and year to year.

Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity. As we see this escalation of efforts by cybercriminals, it is essential we go after the infrastructure that cyber criminals are using to host these domains. So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains.

Exploit kits are a particularly alarming category of malware because they represent the automation of cybercrime. A small number of highly skilled hackers can create the kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to ordinary criminals with little technical experience. This can vastly increase the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies.

While Angler continues to lead DNS exploit kit activity, RIG—an older kit that has been far back in the pack in usage during previous quarters—surged into second place. Infoblox analysis of RIG activity in 2015 shows that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies. This indicates that as exploit kits are updated in coming years, there may be a reappearance of past threats in a new guise or location.

We work for larger enterprise and government – there are numerous companies looking after the SME market. But the cloud deployment model and buying threat intelligence as a service is always an option.

About Jesper Andersen

A seasoned networking and software industry executive with a track record of building large businesses, Andersen is responsible for the company's continuing growth and innovation.  Before joining Infoblox in December 2014, he served in some roles at Cisco Systems, including senior vice president for network management.  

After leading the network management group, Andersen was senior vice president and general manager of Cisco’s service provider video business unit. Andersen helped transform the business from a focus on traditional set-top boxes and cable access to the new world of streaming online video. Under Andersen’s leadership, the company acquired NDS, a leading provider of video software solutions, in September 2012.
Before Cisco Systems, Andersen was senior vice president of application strategy at Oracle Corporation, a position he also held at PeopleSoft before its acquisition by Oracle. At Oracle, Andersen was responsible for the definition and strategy of the company’s new Fusion applications, as well as the strategy and requirements across Oracle’s other application solutions, including Oracle E-Business Suite, PeopleSoft Applications, JD Edwards, and Siebel Solutions. Under Andersen’s leadership, the company embarked on an application strategy that targeted individual industry verticals, leading to some acquisitions of vertical business solutions.
Before Oracle and PeopleSoft, Andersen held various engineering and executive positions at Pivotal Software and Computer Resources International. He also serves on the board of directors of Telx Corporation.




WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments