There has been a threefold increase in the number of malicious DNS queries, new research has revealed, with 82 million of them identified in August alone.
As of the end of August, more than five million new domains were being queried daily, with 150 million new domains each month. In the period between March and August, nearly 1 billion were created—and the vast majority of these are malicious yet unknown to security vendors, according to Nominum Data Science.
When it comes the internet threat fabric, nearly four million suspicious domains are created daily, with the majority of command and control infrastructure hosted in the US.
In a report on DNS security, Nominum found that botnet command and control activity jumped in August, driven by Necurs, the most wide-spread botnet family, with more than six million related machines under cybercriminal control. It is run by a Russian organized cybercrime group, Nominum said, and is responsible for millions of dollars in losses tied to the Dridex banking Trojan, and more recently, the Locky ransomware strain.
“Necurs exploded onto the scene in June 2016, a few months after we first started monitoring its C&C servers,” the report noted. “The number of Necurs-related queries reached 558 million in August 2016. As many as 59 million queries have occurred on a daily basis. Necurs also has at least 10,000 live domains on any given day. Some of these are used as C&C servers, while the rest are used as decoys to deceive security experts.”
Meanwhile, the number of infected Internet of Things (IoT) devices has surged, driven by a 131% increase in the Mirai botnet, in less than two weeks from when its source code was released.
“Prior to the Mirai source code release, we identified approximately 213,000 bots using this method,” the report said. “Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000 within the sample data Nominum analyzed.”
The now-infamous October 21 distributed denial of service (DDoS) attack on managed DNS provider Dyn should be a wake-up call, the company said. That attack took down websites at Twitter, Paypal, The New York Times, Box, Netflix and more, and originated from a large number of compromised IoT devices that are part of Mirai, including internet-connected cameras, routers and digital video recorders.
“The attacks highlighted the easily overlooked—yet vital—role that DNS plays on the internet,” said Craig Sprosts, vice president, Product Management & Strategy, Nominum, in a blog. “A lone attacker was able to prevent hundreds of millions of internet users from accessing their favorite sites by targeting a single managed DNS provider. Given the growth in IoT devices, the scale and frequency of these types of attacks is likely to increase. Without question, CSPs must be prepared for the unfortunate day when their DNS—or one of their subscribers—is the intended target of an attack, so as to preserve both network and brand integrity.”
The firm’s report ominously warned, “The Mirai botnet is continuously executing DNS attacks, perhaps presaging another big attack.”
Looking closely at DDoS, amplification, Pseudo Random Subdomain (PRSD) IoT-based, mobile malware and other types of attacks, the report points out that security teams can leverage the DNS (which is the target platform in 93% of attacks) to discover anomalous behaviors and patterns to pinpoint new threats and take effective measures.
“When evaluating DNS software, network teams tend to look only at queries per second (QPS) as an indication of reliability, but these metrics can be misleading. Instead, network teams must evaluate how the DNS performs on the worst days when traffic patterns are highly unusual,” said Sprosts. “Common DNS implementations have very simple rules that don’t differentiate between legitimate and attack traffic. In the case of the latest attack, when the authoritative DNS servers were unable to respond to queries, the querying servers continued to flood the authoritative servers, waiting hopelessly for a response. This overwhelms the DNS server and slows DNS responses to all queries—both legitimate and malicious traffic—creating a major traffic jam, which can bring the internet to a halt.”