Four out of every five enterprise networks show signs of malicious DNS activity, potentially putting valuable data at risk, according to a new study by Infoblox.
The Infoblox Security Assessment Report for the first quarter of 2016 studied companies from a wide range of industries and geographies. According to Infoblox, 83% of the networks it examined had evidence of malicious DNS activity.
In total Infoblox studied 519 files that had captured DNS traffic and found that 429 showed signs of suspicious activity. The most common threats by far were botnets and protocol anomalies (both 54%). A protocol anomaly is a malformed DNS packet that can force a server to stop responding by going into an infinite loop or by crashing it.
Next on the list was DNS tunneling (18%). Some DNS tunneling is legitimate, but Infoblox said it has seen a lot of malicious uses of it recently. This is when attackers insert malware into the DNS which can then be used to send information, bypassing the firewall entirely.
The Zeus malware (17%), DDoS traffic (15%) and the CryptoLocker ransomware (13%) were also discovered on various systems. Amplification and reflection (12%) was also a common discovery. These are used to propagate a DDoS attack on the victim’s servers, potentially bringing the server down completely.
The final malicious activity Infoblox detected was the infamous Heartbleed (11%). Despite being discovered in April 2014 and the huge campaign of awareness around Heartbleed, it is still alarming that 11% of the networks Infoblox examined contained evidence of the vulnerability.
Craig Sanderson, senior director of security products at Infoblox, said the results show that a new approach to security is needed; defending at the perimeter is no longer sufficient due to the number of endpoints that need protecting and the number and sophistication of attacks targeting enterprises of all sizes.
“The prevalence of these attacks shows the value of DNS in finding threats aimed at disrupting organizations and stealing valuable data, as well as the extent to which organizational infrastructure can be hijacked to mount attacks on third parties,” he said.
“The good news is that DNS is also a powerful enforcement point within the network. When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers,” Sanderson added.