Data science research drills down on how domain names are used, abused

Mapping DNS activity will help stop hackers from using internet to their advantage

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When the inter­net was in its infan­cy, numer­ic IP address­es were being cre­at­ed and assigned in an increas­ing fren­zy, and a way was need­ed for humans to make sense of it all.

So a Uni­ver­si­ty of South­ern Cal­i­for­nia researcher named Paul Mock­apetris, with help from a col­league, Jon Pos­tel, invent­ed some­thing called the Domain Name Sys­tem, aka DNS, to assign actu­al names to IP address­es. Not long after that, Paul Vix­ie joined forces with Mock­apetris to form a com­pa­ny, now called Far­sight Secu­ri­ty, to track and study DNS activity.

Paul Vix­ie, Far­sight Secu­ri­ty CEO

We col­lect raw infor­ma­tion in real time about how the DNS is used by the glob­al user base,” Vix­ie told me, when we met recent­ly at RSA 2017. “Between the two of us, we have almost a lock on the world sup­ply of intel­li­gence about … the secu­ri­ty impli­ca­tions of DNS.”

 Relat­ed arti­cle: Vul­ner­a­bil­i­ties leave DNS open to attack

Indeed, the secu­ri­ty impli­ca­tions of DNS—or more pre­cise­ly, the mali­cious manip­u­la­tion of DNS—are pro­found. It can be argued that DNS’s ease of use is what made the inter­net so read­i­ly adapt­able to online com­merce as we’ve come to know it. That said, the flexibility—and anonymity—built into DNS also sup­ports every shade of bad­ness that now thrives online.

I always enjoy hear­ing Vixie’s analy­sis of this dichoto­my. The inter­net is some­thing the world built for itself that is not owned nor con­trolled by any one com­pa­ny or nation-state, he pro­fess­es. It has no cen­tral law enforce­ment, nor any leg­isla­tive or legal over­sight, per se.

Any­thing you want to do, for which you can find some­body to coop­er­ate with, can become a vital part of the internet—and that’s both its strength and its weak­ness,” Vix­ie observes. How­ev­er, he con­tin­ues, that also means that “the peo­ple who want to use the inter­net to fur­ther crim­i­nal ends find it to be almost perfect.”

The unprece­dent­ed risks this fos­ters for every indi­vid­ual and every orga­ni­za­tion can be expressed by this anal­o­gy Vix­ie is fond of relating:

Under­stand­ing the threat

A lit­tle old lady strolling down a street in San Fran­cis­co, cir­ca 1970, ran the risk of get­ting mugged, espe­cial­ly if she saun­tered down the wrong alley at the wrong time of day.

The mug­ger, of course, had to go to through a lot of trou­ble to vic­tim­ize her. Main­ly, he had to be phys­i­cal­ly present at the scene of the crime, as well as moti­vat­ed to car­ry out the mug­ging. That mean the num­ber of poten­tial mug­gers was finite, and rel­a­tive­ly small. There­fore the risk the old woman faced was defined. And she could take sim­ple steps to elim­i­nate that risk, i.e., avoid trav­el­ing on foot, unac­com­pa­nied, at that location.

Paul Vix­ie, left, at RSA 2017.

Now place that same woman at approx­i­mate­ly the same loca­tion in 2017. She’s using social media, bank­ing and shop­ping online. The risk that she could click on a mali­cious web­site or email attach­ment are com­par­a­tive­ly high. So is the risk that mali­cious soft­ware will turn over con­trol of her com­put­ing device to a high­ly orga­nized, well-fund­ed cyber crime ring.

Her per­son­al­ly iden­ti­fi­able infor­ma­tion, in our inter­net-cen­tric world, is up for grabs. There are myr­i­ad ways her PII can get fun­neled into the cyber under­ground and used for all man­ner of direct theft and iden­ti­fy fraud.

That lit­tle old lady is not safe from any dig­i­tal mug­ger any­where in the world,” Vix­ie says. “She is much less safe because of the internet.”

Devel­op­ing a defense strategy

Vix­ie is part of a glob­al secu­ri­ty com­mu­ni­ty that is striv­ing to, as he puts it, “restore the bal­ance and make things, maybe some­day, as safe for the lit­tle old lady as they were before the inter­net existed.”

From where he sits, he says that will require exhaus­tive­ly map­ping DNS activ­i­ty and get­ting increas­ing­ly smart at fer­ret­ing out and respond­ing to mali­cious manip­u­la­tions of DNS.

He says this can lead to clar­i­ty about “what the bad guys own, what else they’ve owned so we can map their perime­ter and their inven­to­ry, and even­tu­al­ly find recourse in the form of civ­il law­suits or crim­i­nal com­plaints against the peo­ple who are mis­us­ing the system.”

For a drill down on Vixie’s per­spec­tive, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to domain names:
New tools deter hack­ers from using domain names to deliv­er attacks
Easy cre­ation of domain names by hack­ers leaves SMBs dan­ger­ous­ly exposed
Hack­ers manip­u­late domain names to spread malware