New tools deter hackers from using domain names to deliver attacks

Companies can receive real-time warning before internet identifiers are used in malicious ways

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Manipulation of a targeted company’s domain name for malicious purposes is something cyber criminals do all too routinely.

By slightly altering an organization’s legit domain name, or by redirecting someone trying to navigate to that company’s website to a rogue server, criminals can execute an array of scams, such as phishing, click fraud, brandjacking or typosquatting.

Related video: Domain name manipulation game

Paul Vixie, the creator of several Domain Name System (DNS) protocol extensions and applications on which the internet is built, today heads up a security firm, Farsight Security Inc., dedicated to helping companies combat DNS abuse.

ThirdCertainty caught up with Vixie at the Black Hat cybersecurity conference earlier this month. We spoke to him about two new Farsight services, Brand Sentry and Domain Sentry. The former helps identify phishing and counterfeiting; the latter helps companies monitor and be alerted to any changes to their domain or IP addresses that might signal an attack. Text edited for clarity and length.

3C: Did you ever imagine DNS would be manipulated and exploited at this level?

Paul Vixie_400
Paul Vixie, internet pioneer and Farsight Security Inc. founder

Vixie: When DNS was first standardized in 1984, the network was a bunch of government contractors, mostly universities and various government research organizations. All their employees were trustworthy and all very polite. DNS was designed with that in mind.

So as the internet grew and became the commercial behemoth that it is today, it, of course, has to allow anyone to have access. Anyone can buy a domain name. Anyone can get an IP address and put a server on the network. And there’s no function by which people who are using the internet maliciously can be disconnected from it.

3C: How does Farsight identify the malicious stuff going on?

Vixie: DNS activities don’t look malicious. It’s not being used to do a denial of service attack, or to exercise vulnerabilities. The DNS is being used in order to help deliver attacks against us. (Criminals) need reliable DNS for bad purposes the way we all need reliable DNS for good purposes. We’re looking for attacks that happen to leverage features of the DNS.

3C: So you’re paying very close attention to patterns, using algorithms?
Vixie: We’re not going to beat the bad guys with math. Almost everything we do is traditional data processing as it’s been practiced for 50 years except that we do it all in real time. It turns out that we know how to find strings of characters, something we’ve known how to do for years. So we didn’t have to invent anything, we’re just applying age-old techniques in this modern context of real-time DNS analysis.

3C: So how do your new services bring this to bear?

Vixie: To connect to Brand Sentry, the customer has to tell us the set of brand names that they wish to protect. And then we will look for suspicious looking variations on those names in parts of domain names and other parts of our real-time stream. You can get anomalies back from us in real time. Similarly with Domain Sentry, if you give us your list of domain names, we can tell you anytime we see your internet identifiers, if we see them used in an anomalous, red flag way. We will send you what we saw, and tell you why we think it’s suspicious.

3C: How do your customers leverage this intelligence?

Vixie: Generally, a company that cares about this has already made an investment in some kind of a log management thing, like Splunk or Maltego. It might be orchestration software from Phantom. What we can do is plug directly into that API and feed our observations into all of the software and hardware that you’ve already invested in.

3C: And there is a lot of malicious activity moving on any given day?

Vixie: Every day, we see two new domain names bought up every second. At least half of them will be dead in less than a day because they were crafted for a particular attack against a particular entity. They get taken down when that entity complains, and then the bad guys just buy more. The vast majority of new DNS data creation events are for malicious purposes.

See more stories related to domain names:
Easy creation of domain names by hackers leaves SMBs dangerously exposed
Vulnerabilities still leave DNS—and businesses—wide open to attack
What’s in a (domain) name? For generic TLD hackers, a lot