Proper Security For DNS Traffic

We live in a very dangerous world where ne’er-do-wells are constantly trying to attack us whether it be on the subway, in the streets, at home, in our car, or even when we go online. Therefore, it is important to have proper protection against these attacks. For example, you may take a defense class such as karate, you may carry mace in your purse, or you may simply be a fast runner. There are many different ways that you can protect yourself but how do you protect yourself when you go online.

Have you ever heard of fast flux? The goal of fast flux is to utilize a fully qualified domain name, for instance, and have hundreds or even thousands of multiple IP addresses assigned to it. These multiple of addresses will be flux like swapped in and out with extreme frequency. They will use a combination of various round-robin IP addresses in an extremely short period of time.

A website host name could be associated with a brand new set of IP addresses as quickly as every three minutes. This means that a browser that connects to that same website could, in reality, be connecting each time with a different infected computer. These fast flux networks are behind many of the illegal online practices that we see today. Some of these practices include money mule recruitment sites, online pharmacy shops, illegal/extreme adult content, malware downloads, and malicious browser exploit websites.

When it comes to a weak spot in this type of system it will usually be whatever is at the top level, the domain name. There could be 100’s or 1000’s of hosts beneath the domain name and all of them are ready to serve content for it. However, when the domain name is no longer there then none of this is achievable. Many online criminals understand that the weak spot is the domain name. As a result, they will register as many as they can so that they can continue to distribute their malicious content.

This may all seem to eventually lead to the Armageddon of the Internet. What is the typical homeowner or businessman, who knows very little about these issues, supposed to do? The good news is that there are ways to prevent these attacks and this article will provide you with a few of the more effective ones. Let’s begin our defense with firewalls.

Your firewall is your most prevalent security system. A firewall will allow you to define specific rules so as to prevent IP spoofing. Firewalls will include a rule that will deny DNS queries from any IP address that is outside of your allotted numbers space. It does this to prevent a name resolver from being vulnerable to open reflectors that are in DDoS attacks.

The firewall will also enable inspection for all DNS traffic. It will look for anomalous DNS traffic and suspicious byte patterns so that it can block any name server software that want to exploit your system. When a DDoS attack is present, your firewall will shut down any specific flow of traffic related to this attack. However, it should be noted that a firewall cannot perform anti-spoofing by means of a packet by packet basis to distinguish legitimate or good traffic from bad.

Your next important defense is an intrusion detection system. It does not matter whether you use OSSEC, Snort, or Suricata. All of them are able to provide rules that will report DNS requests from any unauthorized client. You can also make a rule to report or count NXDOMAIN responses, DNS inquiries made using TCP, a response that contains a resource record with short TTLs, a DNS inquiry to a nonstandard port, or any suspiciously DNS response that is large.

All values in any field of a DNS response message or inquiry is basically in play. When you make the rules you are only limited by your mastery and imagination of DNS. An intrusion prevention service in a firewall will provide deny/permit rules for the majority of common checks.

Let’s say, for example, that all of your company’s computers have been turned into a type of bot. An intrusion detection system will be effective at discovering whatever activity is going on in your network and then providing you with information about which computers are affected. Unfortunately, an intrusion detection system will only be able to detect DDoS attacks. The intrusion detection system will be unable to do anything to mitigate any effects of the attack.

Your next line of defense will be a traffic analyzer. Previous case studies for both Bro and Wireshark show that a passive traffic analysis can be quite effective when identifying malware traffic. This type of defense will filter and capture DNS traffic between your resolver and your clients and then save it to a PCAP file. You can then create a script to investigate the PCAP file for any specific suspicious activities.

The passive DNS replication will help to defend your computer by collecting and then analyzing all passive DNS data so as to identify malware. This program was invented in 2004 by Florian Weimer. He invented this program for the sole purpose of identifying malware. The process works by logging the responses that the recursive name servers receive from any other name servers. It then replicates this log data in a safe central database for careful analysis and archiving.

A passive DNS replication’s data will consist primarily of answers and referrals from authorized name servers who are found on the Internet. It is a very useful way for identifying any of the malicious malware domains. This will be especially true where malware domains that use algorithmically generated types of domain names.

Unfortunately, network abuse is definitely on the increase. In addition, network attacks are becoming extremely more complex. The availability of many new criminal tools means that even a basic hacker is able to launch a sophisticated attack against a service provider. Therefore, for your own protection against online attacks make sure that you have good firewalls and DNS performance monitoring – Path Network services.

Leave a Reply