When launching a remote cyber attack involving malicious code there are four practical methods for the malware to connect back to the attacker:
One, hardcode all traffic to a destination IP address and forgo using a domain. Two, register a new domain by using a stolen credit card or unattributable e-currency (WebMoney, Bitcoin, etc.). Three, compromise an existing domain and create new DNS records. Four, use a dynamic DNS (DDNS) service to create a free sub-domain. For a multitude of reasons, it turns out that using a DDNS service is the easiest and most pervasive method for creating sustainable command-and-control domains.
DDNS is a legitimate and useful service. Home internet users often employ DDNS accounts to enable remote connectivity to their home network because residential internet service providers rarely provision static IP addresses to residential circuits. Thus, DDNS is the configuration glue that continually maps a domain to a constantly changing IP address. Unfortunately, free DDNS services have also been co-opted by all three threat groups: those motivated by profit (criminals), ideology (hacktivists) and nationalism (nation-state sponsored). DDNS activity within the enterprise may be an employee connecting to a home VPN or it may be an attacker exfiltrating your company's intellectual property.
It is true that not all DDNS providers are equal. Some providers proactively monitor their network and quickly respond to abuse complaints. Others operate in fly-by-night fashion and demonstrate generally cavalier attitudes toward abuse. Threat actors naturally gravitate to DDNS providers that facilitate longer periods of uninterrupted attack activity. At last count, more than 1,000 base domains were being provided by more than 60 DDNS providers.
The recent spate of high-profile attacks launched using DDNS – some leveraging zero-day exploits – presents a compelling business case for why enterprise network administrators and computer incident response teams (CIRTs) should be especially vigilant regarding network traffic destined for DDNS domains.