The DDNS dagger

Share this article:
The DDNS dagger
Levi Gundert, technical leader, Cisco TRAC

When launching a remote cyber attack involving malicious code there are four practical methods for the malware to connect back to the attacker: 

One, hardcode all traffic to a destination IP address and forgo using a domain. Two, register a new domain by using a stolen credit card or unattributable e-currency (WebMoney, Bitcoin, etc.). Three, compromise an existing domain and create new DNS records. Four, use a dynamic DNS (DDNS) service to create a free sub-domain. For a multitude of reasons, it turns out that using a DDNS service is the easiest and most pervasive method for creating sustainable command-and-control domains. 

DDNS is a legitimate and useful service. Home internet users often employ DDNS accounts to enable remote connectivity to their home network because residential internet service providers rarely provision static IP addresses to residential circuits. Thus, DDNS is the configuration glue that continually maps a domain to a constantly changing IP address. Unfortunately, free DDNS services have also been co-opted by all three threat groups: those motivated by profit (criminals), ideology (hacktivists) and nationalism (nation-state sponsored). DDNS activity within the enterprise may be an employee connecting to a home VPN or it may be an attacker exfiltrating your company's intellectual property.

It is true that not all DDNS providers are equal. Some providers proactively monitor their network and quickly respond to abuse complaints. Others operate in fly-by-night fashion and demonstrate generally cavalier attitudes toward abuse. Threat actors naturally gravitate to DDNS providers that facilitate longer periods of uninterrupted attack activity. At last count, more than 1,000 base domains were being provided by more than 60 DDNS providers. 

The recent spate of high-profile attacks launched using DDNS – some leveraging zero-day exploits – presents a compelling business case for why enterprise network administrators and computer incident response teams (CIRTs) should be especially vigilant regarding network traffic destined for DDNS domains. 

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.