The DDNS dagger

Share this article:
The DDNS dagger
Levi Gundert, technical leader, Cisco TRAC

When launching a remote cyber attack involving malicious code there are four practical methods for the malware to connect back to the attacker: 

One, hardcode all traffic to a destination IP address and forgo using a domain. Two, register a new domain by using a stolen credit card or unattributable e-currency (WebMoney, Bitcoin, etc.). Three, compromise an existing domain and create new DNS records. Four, use a dynamic DNS (DDNS) service to create a free sub-domain. For a multitude of reasons, it turns out that using a DDNS service is the easiest and most pervasive method for creating sustainable command-and-control domains. 

DDNS is a legitimate and useful service. Home internet users often employ DDNS accounts to enable remote connectivity to their home network because residential internet service providers rarely provision static IP addresses to residential circuits. Thus, DDNS is the configuration glue that continually maps a domain to a constantly changing IP address. Unfortunately, free DDNS services have also been co-opted by all three threat groups: those motivated by profit (criminals), ideology (hacktivists) and nationalism (nation-state sponsored). DDNS activity within the enterprise may be an employee connecting to a home VPN or it may be an attacker exfiltrating your company's intellectual property.

It is true that not all DDNS providers are equal. Some providers proactively monitor their network and quickly respond to abuse complaints. Others operate in fly-by-night fashion and demonstrate generally cavalier attitudes toward abuse. Threat actors naturally gravitate to DDNS providers that facilitate longer periods of uninterrupted attack activity. At last count, more than 1,000 base domains were being provided by more than 60 DDNS providers. 

The recent spate of high-profile attacks launched using DDNS – some leveraging zero-day exploits – presents a compelling business case for why enterprise network administrators and computer incident response teams (CIRTs) should be especially vigilant regarding network traffic destined for DDNS domains. 

Share this article:

Sign up to our newsletters

More in Opinions

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.

Protecting what matters

Protecting what matters

Whether it is a database of customer information or valuable intellectual property, an organization's "crown jewels" need to be protected with the most robust security possible.

Buying something illegal? Bitcoin is not the currency for you.

Buying something illegal? Bitcoin is not the currency ...

While it's considered a form of anonymous currency, Bitcoin isn't as private as you may think.