DNS abnormalities

Suspicious DNS requests

DNS is a vital internet protocol that converts URLs to the corresponding IP address

  • Used by webservers, web apps, email, even malware

DNS requests to unusual or suspicious domains may be generated by malware setting up command and control channels

  • DNS monitoring and blacklisting are an important component of threat hunting

DNS warning signs

Random domains

Malware and C2 servers will use domain generation algorithms (DGAs) to generate random domains (like dfdkkk.com) to evade blacklisting

  • These domains are often less than 24 hours old

Embedded IP addresses: IP addresses embedded in domains (like 108.172.16.201.gogle.com) should be a warning sign

Irregular top-level domains: Unusual or unexpected top-level domains (.ru & .zip)

NXDOMAIN

Requests to non-existent domains could be a typo or an indication of malware on the system

Unusual hours

Most DNS traffic should occur during standard business hours as employees use the internet

Abnormal volume

Unusual volume of DNS requests from a certain computer or for a certain may indicate an attack

Blacklist hits

Requests to known malicious domains indicate that a system has been infected with malware

Detecting suspicious DNS traffic

"Rinse and repeat"

  • Collect DNS traffic packets

  • Identify and remove known good traffic (whitelisting)

  • Analyze what's left

Look for patterns

  • Malware often "beacons" to C2 servers are regular intervals

  • Legitimate webpages make most of their requests at the very beginning

    • Any that originate later are suspicious

Dynamic DNS connections

Connections to domain hosted on dynamic DNS providers may indicate C2 communication

Look at DNS query or HTTP proxy logs for sites visited by a low number of endpoints

  • In many environments, any access to dynamic DNS provider may be considered suspicious

Utilize a lookup or feed to known dynamic DNS (DDNS) domains to query against data in a SIEM or log aggregator

Denied outbound traffic

Denied outbound traffic can be another valuable Indicator of Compromise (IOC)

Malware within your network may need to communicate with a C2 server

  • This traffic may be blocked by firewalls or other network security devices

Determine where the blocked traffic originated and investigate the source

HTTP request/response abnormalities

Requests

Large numbers of repeated requests for the same resources may indicate:

  • Attempts to create a working exploit for a supposed vulnerability

  • Attempts to use a web shell embedded in the web content directory

Responses

Unusually large responses may indicate a successful SQL injection (database dumps, etc)

Unusually small responses may indicate unsuccessful injection attempts

Geographic abnormalities

Many different anomalies can indicate compromised user credentials:

  • Authentication attempts from unusual locations

  • Attempts by multiple IP addresses to access the same account in a short period of time

IP lookup tools like Ultra Tools WHOIS can tell you the country of origin of a suspicious IP address

PreviousNetwork ThreatsNextHunting for DDoS activity

Last updated