Nominum Data Science detected a huge wave of malicious DNS queries rolling across the Internet Dec 14 and 15 2015, adding to stress for service providers already have around the holidays. Since it’s one of the peak buying seasons on the Internet most networks are locked down and operations teams are on alert. Many unfortunately were probably not expecting a huge surge in DNS DDoS as it has been fairly consistent the past few months. ThreatAvert customers were protected but many other networks likely experienced adverse impact – substantial slowdowns or even outages for servers that saw high volumes of queries.
Android fans were probably chuckling over the XcodeGhost malware news – hackers don’t often penetrate Apple’s defenses. This provoked the Nominum Data Science team to take a look at what’s happening with malware targeting Android. Common wisdom is Android is exposed because there’s less rigor in the development and supply chain, and third party app stores with no protections are popular. Determined hackers can allegedly subvert defenses and get various kinds of exploits placed on mobile devices running the highly popular operating system. But what does the data show?
The DNS offers visibility into many kinds of Internet trends including various security threats. We’ve reported extensively on DNS DDoS and Nominum Data Science also tracks botnet activity. In this case queries for Command and Control (C&C) domains for the recently disclosed XcodeGhost malware were observed in September. Infected development tools were reported to have been used for the popular iOS app WeChat.
Nominum Research continues to refine algorithms, working toward more generalized methods to quickly detect “anomalous” activity that might represent DDoS, bots, or various other undesirable behaviors. To simplify somewhat, algorithms examine high speed, real-time, data streams and compare a small window of incoming queries to a very large “normal” historical sample on a continuous basis. Unexpected variations are flagged and relevant data is captured for further analysis.
Starting in late July 2015 there was a noticeable drop in the DNS-based DDoS activity that Nominum Data Science has been tracking for the last 18 months. As reported earlier, the beginning of 2015 saw a tactics change from large periodic bursts that attracted lots of attention at the end of 2014, to steadier traffic that took down targets with measured efficiency.
Working in Product Management allows me to travel around the world visiting with customers and prospects alike to identify and solve challenges facing today’s Internet providers. This typically includes engaging with individuals in a wide variety of domains – including marketing, customer care, product management, legal and network and subscriber security. Throughout these interactions, I have noted the emergence of a common theme – the challenges presented by siloed solutions developed to solve a single problem without consideration for the requirements of other departments and the business as a whole.
2014 saw numerous huge spikes in DDoS traffic – some as large as 5 billion queries per day across Nominum worldwide data set which covers around 3% of overall ISP DNS traffic. Extrapolating, this meant more than 150 Billion unwanted queries across the Internet on the peak days.
DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.
Recent analysis of DNS data revealed some interesting pictures. Drilling down into detailed data for a single resolver showed one of the DDoS attacks that occur every day. In this case a small domain, 888fy.com, representing a gaming site in China (a common category of targets) was attacked. The graph below shows 2 different attacks, each lasting several hours.
Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.