Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Nameserver dynamic DNS abuse attack trend, - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Nameserver dynamic DNS abuse attack trend,
I've received some feedback about yesterdays Diary item - the "Careerbuilder Job Application" email scam with Dynamic DNS.  And I've read F-secure's Money laundering blog report of an email scam with a similar pitch.

I'd like to thank Josh, Micha Pekrul, and Handlers Erik Ficthner and Donald Smith for their input on this Diary entry!

In summary, getting right to the point, skipping over the botnets abuse of dynamic DNS which was never the current issue, it's apparent that attackers can and are changing their DNS server IP's pretty much at will using dynamic DNS.

What's it mean? Well, since the DNS Server location is now also changing at will, taking down an attackers operation by contacting legitimate DNS providers will no longer work quickly, if at all. How effective is this attack methodology in the real world? Well, it isn't a "flash" attack, but it is very effective.

Will it affect you? Depends, building a slick malware distribution system from this setup may affect you. One response to yesterdays Diary item pointed out that ""DNS blackholing on customer facing resolvers can be used to block the domain name. One of the limititations is it blocks the domain NOT the url. If the malware is hosted on a large well known web site like geocities then blocking the malware would remove customers ability to access geocites." Think your RBL will stop this? Think again. Think asking Registrars to nuke the abuser will stop this? Who should be responsible for stopping this kind of abuse? One suggestion was that "dns blackholing by ISPs on their customer facing resolvers" would work, and it would be quite effective in most customer circumstances.

The question is also begged, "Who should be reporting this kind of abuse to Registrars?" Handler Erik Ficthner suggested that there be "More cooperation from registrars." .

And what about hosting service providers roles in combatting this? Well if I were a Registrar and I received a complaint from an ISP or hosting provider I might pay attention to it a tad faster than a complaint from other sources. As suggested by Erik, hosting providers and ISP's seem naturals to take this task on in a formalized network incident response effort. Is there already such a IR network out there?

Of course, in the past, we've seen hosting Service Providers unknowingly participate in this by hosting a domain named something like "ns.domainx.com" that forwarded DNS requests to legitimate dynamic DNS service providers. You could take that kind of network down with a little effort. Unfortunately, and in summary, I don't see that taking down this Nameserver dynamic DNS attack I'm writing about being easy to take down.
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!