Blog Post

Unlocking Locky

By Mikael Kullberg, Nominum Data Science

Locky

Posted on June 2, 2016 in: General, Network, Security

Tags: , , , , ,

Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.

Read more

Blog Post

Huge Spike in DDoS Activity for the Holidays

By Hongliang Liu

Posted on December 15, 2015 in: Network, Security

Tags: ,

Nominum Data Science detected a huge wave of malicious DNS queries rolling across the Internet Dec 14 and 15 2015, adding to stress for service providers already have around the holidays.  Since it’s one of the peak buying seasons on the Internet most networks are locked down and operations teams are on alert.   Many unfortunately were probably not expecting a huge surge in DNS DDoS as it has been fairly consistent the past few months.  ThreatAvert customers were protected but many other networks likely experienced adverse impact – substantial slowdowns or even outages for servers that saw high volumes of queries.

Read more

Blog Post

Ghosts Haunt Internet II: Android Malware

By Hongliang Liu

Posted on September 30, 2015 in: Network, Security

Tags: , , ,

Android fans were probably chuckling over the XcodeGhost malware news – hackers don’t often penetrate Apple’s defenses. This provoked the Nominum Data Science team to take a look at what’s happening with malware targeting Android. Common wisdom is Android is exposed because there’s less rigor in the development and supply chain, and third party app stores with no protections are popular. Determined hackers can allegedly subvert defenses and get various kinds of exploits placed on mobile devices running the highly popular operating system. But what does the data show?

Read more

Blog Post

DNS DDoS Mid-Year Summary

By Bruce Van Nice

Posted on June 24, 2015 in: Network, Security

Tags: , ,

 

2014 saw numerous huge spikes in DDoS traffic – some as large as 5 billion queries per day across Nominum worldwide data set which covers around 3% of overall ISP DNS traffic. Extrapolating, this meant more than 150 Billion unwanted queries across the Internet on the peak days.

Read more

Blog Post

New Best Practice: Ingress Filtering to Deter DNS DDoS

By Bruce Van Nice

Posted on June 15, 2015 in: Security

Tags: , ,

DNS DDoS continues on the trend line established in 2014 – with tens of billions of malicious queries Internet-wide every day. Many of the domains attacked are lightly trafficked, but popular (Alexa 5000) domains are commonly targeted. For example alternative news sites, a university, and ecommerce sites have been attacked in the past couple of months. Attacks on popular domains require extra care when mitigating to avoid blocking legitimate queries.

Read more

Blog Post

DNS Amplification Attacks and Truncated Responses

By Erik Wu

Posted on June 12, 2015 in: Security

Tags: , ,

Nominum Research shows about 15% of DNS DDoS traffic is amplification yet it still has impact (the rest are random subdomains). Data also shows bad guys continue to leverage open DNS resolvers which after more than 2 years might be considered an “old-days” technique, yet there are still around 17 million of them on the Internet. More recently our research teams have seen bots sending amplification queries.

Read more

Blog Post

Better than Bot Takedowns

By Thomas Orthbandt

Posted on March 3, 2015 in: Network, Security

Tags: , ,

Europol recently took control of the ramnit botnet in order to disrupt more than 3.2 million infections around the world. Ramnit is a sophisticated bot that appeared in 2010 and spread quickly. It enables remote access to infected machines and can steal files and credentials. It can also monitor web browsing and even use stolen website cookies to impersonate victims. Internet users are nearly always unaware they have been infected by malware and usually not well equipped to deal with infections even when they are made aware. It is also not realistic to expect all bots will be taken down, in fact the reverse is true, few bots are.

Read more

Blog Post

Progress on Open Home Gateways

By Thomas Orthbandt

Posted on July 14, 2014 in: Network, Security

Tags: , ,

We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.

Read more

Blog Post

Reducing the Risks of BYOD with Nominum’s Security Solution

By Thomas Orthbandt

Posted on February 5, 2013 in: Security

Tags: ,

In previous posts, Pat discussed the risks associated with BYOD, and a DNS-based approach for reducing those risks. Essentially this approach consisted of making use of an enterprise’s caching DNS server to monitor and block DNS queries to known botnet command and control (C&C) domains. Finding these C&C domains is something Nominum does quite well.

Read more

1 2