Monitoring DNS traffic can reveal a lot about Botnets on your network. Botnet-assisted Distributed denial of service (DDoS) attacks are one of the most common forms of network abuse. Sometime back a botnet called Mirai got the entire American internet to standstill when it infiltrated the servers ofDyn- a company which controls much of internet’s DNS infrastructure.
These 5 ways can help in detection of intrusion in DNS traffic:
1. Firewalls- The most prevalent and used security system is Firewalls. It should let you define rules to prevent IP spoofing. IPs outside your defined numbers should be denied to prevent your name resolver from being misused as an open reflector in an DDoS attack.
Also enable traffic inspection for suspicious data byte patterns to block name server software exploits.
2. Intrusion detection systems- You can compose rules to report DNS access from unauthorized clients. They can identify unusual traffic produced by bots. An intrusion detection system can identify if a computer is being affected by the bot attack. However, they can only identify the attack but can’t do anything to mitigate it.
3. Traffic analyzers- Capture and filter DNS traffic between your clients and your resolver, and save to a PCAP file. Now you need to create scripts to search the PCAP for the specific suspicious activities you are looking for.
(the clients shouldn’t be allowed to use your resolver or any nonstandard port other than your local resolver)
4. Passive DNS replication- Gathering and analyzing passive DNS data can help identify malware. Florian Weimer invented passive DNS replication in 2004 specifically for this purpose. Recursive name servers log the responses they receive from other name servers and replicate this logged data in a central database for analysis and archiving. Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet, and can be useful for identifying malware domains, especially where malware uses algorithmically generated domain names.
5. Logging at your resolver- The logs of your resolvers record all the DNS traffic. With logging enabled, you could use multiple tools to collect and analyze the DNS data.
DNS monitoring is a sure method to detect intrusion and attacks. It has been in practice since a long time and should be in practice. Logix Infosecurity helps in DNS monitoring as well as advanced threat protection tools which give layers of security for your organization.
