Data science research drills down on how domain names are used, abused

Mapping DNS activity will help stop hackers from using internet to their advantage

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When the internet was in its infancy, numeric IP addresses were being created and assigned in an increasing frenzy, and a way was needed for humans to make sense of it all.

So a University of Southern California researcher named Paul Mockapetris, with help from a colleague, Jon Postel, invented something called the Domain Name System, aka DNS, to assign actual names to IP addresses. Not long after that, Paul Vixie joined forces with Mockapetris to form a company, now called Farsight Security, to track and study DNS activity.

Paul Vixie, Farsight Security CEO

“We collect raw information in real time about how the DNS is used by the global user base,” Vixie told me, when we met recently at RSA 2017. “Between the two of us, we have almost a lock on the world supply of intelligence about … the security implications of DNS.”

 Related article: Vulnerabilities leave DNS open to attack

Indeed, the security implications of DNS—or more precisely, the malicious manipulation of DNS—are profound. It can be argued that DNS’s ease of use is what made the internet so readily adaptable to online commerce as we’ve come to know it. That said, the flexibility—and anonymity—built into DNS also supports every shade of badness that now thrives online.

I always enjoy hearing Vixie’s analysis of this dichotomy. The internet is something the world built for itself that is not owned nor controlled by any one company or nation-state, he professes. It has no central law enforcement, nor any legislative or legal oversight, per se.

“Anything you want to do, for which you can find somebody to cooperate with, can become a vital part of the internet—and that’s both its strength and its weakness,” Vixie observes. However, he continues, that also means that “the people who want to use the internet to further criminal ends find it to be almost perfect.”

The unprecedented risks this fosters for every individual and every organization can be expressed by this analogy Vixie is fond of relating:

Understanding the threat

A little old lady strolling down a street in San Francisco, circa 1970, ran the risk of getting mugged, especially if she sauntered down the wrong alley at the wrong time of day.

The mugger, of course, had to go to through a lot of trouble to victimize her. Mainly, he had to be physically present at the scene of the crime, as well as motivated to carry out the mugging. That mean the number of potential muggers was finite, and relatively small. Therefore the risk the old woman faced was defined. And she could take simple steps to eliminate that risk, i.e., avoid traveling on foot, unaccompanied, at that location.

Paul Vixie, left, at RSA 2017.

Now place that same woman at approximately the same location in 2017. She’s using social media, banking and shopping online. The risk that she could click on a malicious website or email attachment are comparatively high. So is the risk that malicious software will turn over control of her computing device to a highly organized, well-funded cyber crime ring.

Her personally identifiable information, in our internet-centric world, is up for grabs. There are myriad ways her PII can get funneled into the cyber underground and used for all manner of direct theft and identify fraud.

“That little old lady is not safe from any digital mugger anywhere in the world,” Vixie says. “She is much less safe because of the internet.”

Developing a defense strategy

Vixie is part of a global security community that is striving to, as he puts it, “restore the balance and make things, maybe someday, as safe for the little old lady as they were before the internet existed.”

From where he sits, he says that will require exhaustively mapping DNS activity and getting increasingly smart at ferreting out and responding to malicious manipulations of DNS.

He says this can lead to clarity about “what the bad guys own, what else they’ve owned so we can map their perimeter and their inventory, and eventually find recourse in the form of civil lawsuits or criminal complaints against the people who are misusing the system.”

For a drill down on Vixie’s perspective, please listen to the accompanying podcast.

More stories related to domain names:
New tools deter hackers from using domain names to deliver attacks
Easy creation of domain names by hackers leaves SMBs dangerously exposed
Hackers manipulate domain names to spread malware