Cisco Blogs

Cisco Blog > Security

Real World DNS Abuse: Finding Common Ground


The Domain Name System (DNS) is the protocol leveraged within the Internet´s distributed name and address database architecture. Originally implemented to make access to Internet-based resources human-friendly, DNS quickly became critical infrastructure in the intricate behind-the-scenes mechanics of the Internet, second only to routing in its importance. When DNS becomes inaccessible, the functionality of many common Internet-based applications such as e-mail, Web browsing, and e-commerce can be adversely affected—sometimes on a wide scale. This short blog post will explore some real-world examples of DNS abuse. I would like to welcome and thank Andrae Middleton for joining me as a co-author and presenting his expertise on this article.

There are a few different types of DNS attacks: cache poisoning, hijacking attacks, and denial of service (DoS) attacks (which primarily include reflection and amplification). In the news as of late are widespread and focused DoS attacks. Cisco Security Intelligence Operations (SIO), with its distributed sensors, is able observe and measure various aspects of the global DNS infrastructure. What follows are two vignettes detailing recent Internet DNS DoS attacks against the Internet’s DNS infrastructure. We will see that, though the attacks are different, the results are similar and the countermeasures and mitigations are the same.

Read More »

Tags: , , ,

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS…

Read More »

Tags: , , , , ,

Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective

The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.

These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.


* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.

Read More »

Tags: , , , , , , , , ,

DHCPv6 in the Cloud – DHCP Performance Testing and Results

As service providers move to cloud-based services, their IP addressing management system must operate efficiently in the virtualized environment of the cloud.  And within the cloud environment, these systems for DHCP, DNS and IP address management must also be fast. For example, many organizations have expressed a concern that poor DHCP performance could be the weak link when thousands of customers come back online after a failure event.  If DHCP address requests are handled in a slow or scattered manner, servers will not be able to service all requests in a timely fashion.

Another requirement for IP address management systems is support for IPv6, as the depletion of IPv4 addresses has led to many organizations finding themselves facing a rather accelerated and mandatory migration to IPv6 (read: yesterday’s World IPv6 Launch). While one of IPv6’s promises was the elimination of the need for DHCP, the reality is that centralized network management has made DHCPv6 a necessity.  DHCP allows network devices to Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Networking 101: DNS Revealed

Two great new ‘Networking 101’ videos now available.  This series is great for anyone needing a quick refresh or touch up on the basics and these two both focus on DNS.

DNS is key to making the Internet accessible to us humans. It’s how we can connect to without needing to know anything complex from anywhere in the world. How does it know how to do this? DNS can be a complicated topic but understanding the basics does not have to be.

Taking it a step further, DNSSEC is a suite of IETF specifications designed to guarantee the authenticity of data obtained from the domain name system (DNS). Although not designed for confidentiality of the data, this protocol is a great answer for many of the ills that threaten the simplicity of the Internet. Chief Geek Jimmy Ray Purser arms you with how it works and why deployment is not growing as fast as it should be.

Read More »

Tags: , , , ,