The DDNS dagger

Share this article:
The DDNS dagger
Levi Gundert, technical leader, Cisco TRAC

When launching a remote cyber attack involving malicious code there are four practical methods for the malware to connect back to the attacker: 

One, hardcode all traffic to a destination IP address and forgo using a domain. Two, register a new domain by using a stolen credit card or unattributable e-currency (WebMoney, Bitcoin, etc.). Three, compromise an existing domain and create new DNS records. Four, use a dynamic DNS (DDNS) service to create a free sub-domain. For a multitude of reasons, it turns out that using a DDNS service is the easiest and most pervasive method for creating sustainable command-and-control domains. 

DDNS is a legitimate and useful service. Home internet users often employ DDNS accounts to enable remote connectivity to their home network because residential internet service providers rarely provision static IP addresses to residential circuits. Thus, DDNS is the configuration glue that continually maps a domain to a constantly changing IP address. Unfortunately, free DDNS services have also been co-opted by all three threat groups: those motivated by profit (criminals), ideology (hacktivists) and nationalism (nation-state sponsored). DDNS activity within the enterprise may be an employee connecting to a home VPN or it may be an attacker exfiltrating your company's intellectual property.

It is true that not all DDNS providers are equal. Some providers proactively monitor their network and quickly respond to abuse complaints. Others operate in fly-by-night fashion and demonstrate generally cavalier attitudes toward abuse. Threat actors naturally gravitate to DDNS providers that facilitate longer periods of uninterrupted attack activity. At last count, more than 1,000 base domains were being provided by more than 60 DDNS providers. 

The recent spate of high-profile attacks launched using DDNS – some leveraging zero-day exploits – presents a compelling business case for why enterprise network administrators and computer incident response teams (CIRTs) should be especially vigilant regarding network traffic destined for DDNS domains. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Opinions

Me and my job: Chris Sullivan, vice president of advanced solutions, Courion

Me and my job: Chris Sullivan, vice president ...

This month we get to know Chris Sullivan, vice president of advanced solutions at Courion.

Threat of the month: SVPENG

Threat of the month: SVPENG

We take a closer look at SVPENG, malware that's capable of launching two different types of attacks.

Security assessment stability

Security assessment stability

We should be asking if it is worth the cost of constantly switching security assessment companies, says Ken Stasiak CEO, SecureState.