The DDNS dagger

Share this article:
The DDNS dagger
Levi Gundert, technical leader, Cisco TRAC

When launching a remote cyber attack involving malicious code there are four practical methods for the malware to connect back to the attacker: 

One, hardcode all traffic to a destination IP address and forgo using a domain. Two, register a new domain by using a stolen credit card or unattributable e-currency (WebMoney, Bitcoin, etc.). Three, compromise an existing domain and create new DNS records. Four, use a dynamic DNS (DDNS) service to create a free sub-domain. For a multitude of reasons, it turns out that using a DDNS service is the easiest and most pervasive method for creating sustainable command-and-control domains. 

DDNS is a legitimate and useful service. Home internet users often employ DDNS accounts to enable remote connectivity to their home network because residential internet service providers rarely provision static IP addresses to residential circuits. Thus, DDNS is the configuration glue that continually maps a domain to a constantly changing IP address. Unfortunately, free DDNS services have also been co-opted by all three threat groups: those motivated by profit (criminals), ideology (hacktivists) and nationalism (nation-state sponsored). DDNS activity within the enterprise may be an employee connecting to a home VPN or it may be an attacker exfiltrating your company's intellectual property.

It is true that not all DDNS providers are equal. Some providers proactively monitor their network and quickly respond to abuse complaints. Others operate in fly-by-night fashion and demonstrate generally cavalier attitudes toward abuse. Threat actors naturally gravitate to DDNS providers that facilitate longer periods of uninterrupted attack activity. At last count, more than 1,000 base domains were being provided by more than 60 DDNS providers. 

The recent spate of high-profile attacks launched using DDNS – some leveraging zero-day exploits – presents a compelling business case for why enterprise network administrators and computer incident response teams (CIRTs) should be especially vigilant regarding network traffic destined for DDNS domains. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in Opinions

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.