DNS Monitoring in Flowmon – part 2/2

Today we will have a look on how our advanced behavioral intelligence of Flowmon ADS can detect DNS service related security incidents and how it helped our customer find malware infected hosts in the network.

Flow data, effectively information from network and transport layer (IPs, ports, protocol, bytes, packets, …), are feed for our module Flowmon ADS. Based on flow data, Flowmon ADS is able to detect various threats and anomalies in network traffic promptly inform administrator, providing precious information about the incident. Such events can represent serious security risk or operation problems both threatening company infrastructure and their assets. Recently we enhanced Flowmon ADS with capability to analyze enriched flow data with application layer information, more precisely with DNS protocol information provided by Flowmon Probes. Let’s have a look on the use-case and how our customer found infected devices in theirs network.
 

DNS Monitoring in Flowmon ADS

Flowmon ADS is able to detect anomalies in DNS traffic using a range of methods. Most of them are not dependent on visibility into DNS itself and use traditional flow data for anomaly detection. There is one neat method using L7 visibility thought that we should talk about. It’s called BLACKLIST and L7 visibility extends its capabilities with rather useful and interesting feature. The method now checks, if some IP in our network tries to translate blacklisted domains and when it does, Flowmon ADS creates event and alerts you.

You might object that we are already able to detect blacklisted domains in Flowmon ADS. That’s true, we are able to match HTTP host and URL against blacklist. It works thanks to HTTP visibility and the detection relies on actual communication between infected host and botnet c&c center. But what if the domain is shut down and not working anymore? In this case, no HTTP communication between infected host and botnet c&c center is established although such event still represents a major risk as the client station attempting to communicate with a fraud IP is very likely to be infected with malware.

Let’s check how DNS visibility extends BLACKLIST method. Firstly, I had to find some blacklisted domain so I looked into blacklist in Flowmon ADS. I’ve chosen first domain from the table below which belongs to Clicker.

 
Blacklisted IPs in Flowmon ADS used for detection of communications with known botnet c&c domains. 
Figure 1: List of blacklisted IP addresses with desctiption.

Flowmon ADS use both publicly available and premium blacklists. Note that only customers with valid Gold Support are able to use premium blacklists.
As a next step, I tried to translate the domain using nslookup. The results are that the domain is non-existent and thus I am not able to communicate with this botnet c&c server.

Translation of blacklisted domain using nslookup.
Figure 2: Attempt to translate c&c domain using nslookup.

I haven’t established any communication with the botnet c&c server, yet the Flowmon ADS detected this security incident leveraging visibility into DNS protocol data. Flowmon ADS gives event details with more information about the incident. I can see, that user skoda tried to resolve blacklisted domain four times and that the domain belongs to known blacklisted botnet c&c server called Clicker.

Detection of user who tried resolve blacklisted domain (Clicker).
Figure 3: Event details of c&c domain translation.

We can click on event evidence to see flows related to the detected event or in Flowmon Monitoring Center we can filter individual flows with DNS queries and responses.

Event evidence - list of related flow records.
 Figure 4: List of flows with malicious communications.
 

Above mentioned case is real life experience of our customer. We deployed our Flowmon Probe with Flowmon ADS and started to monitor network. We identified two hosts infected with malicious software. Malware had been inactive for some time and when it “woke up” it tried to establish connection with botnet c&c center called Conficker. Malware used DNS translation for known blacklisted domain. The domain was already shut down and unreachable, so no connection between the infected host and botnet c&c center was established. Without visibility into DNS and matching DNS Question Names (domain names) against blacklist, the customer would be unaware of infected hosts.

If you are also interested in operational use cases, check out previous blog post.

Get the insight with Flowmon. Try out the Flowmon Live Demo or free TRIAL and stay in touch for further information on our products.