Dynamic DNS is a useful technology that allows a domain name to point to Internet resources hosted on changing public IP addresses. Consider an individual or small business with a dynamic IP who needs to provide consistent content or services publicly advertised to the outside world via a domain name (e.g. website, FTP server, mail server, game room, webcam monitoring, etc). That’s where dynamic DNS helps out. Typically, these customers use the IP assigned to them by their ISP, and every time their IP changes, they notify their dynamic DNS provider to update its name servers so that the customer’s domain points now to the new IP. The notification happens through a client software installed on the customer’s router/computer or via an HTTP restful API. One such client software is DNSOMATIC by OpenDNS.
Unfortunately, the convenience of dynamic DNS did not go unnoticed by miscreants, who have been abusing free, dynamic DNS to perform various attacks such as large-scale malvertising, and targeted spear-phishing, which both resulted in drive-by downloads, and use it for botnet C&C. For attackers, using dynamic DNS constitutes another agile evasion technique against IP blocklisting. It also allows them to deliver malicious payloads from constantly-changing hosting IPs, be it infected individuals’ computers or compromised public websites. To circumvent domain blocklisting, attackers can also use randomly-generated disposable subdomains under the dynamic DNS domain to point to the next hop in a redirection chain or to the final malware hosting IP. This seems similar to fast flux, although from a definition standpoint they are different. For dynamic DNS, the dynamic IP is supposed to fall in the IP range of the ISP (1 or a few ASNs), whereas, with fast flux, a domain will be pointing to an increasing number of different IPs scattered across numerous ASNs and multiple geographical locations. Additionally, for dynamic DNS, the authoritative name servers for a dynamic DNS domain physically belong to the dynamic DNS provider, whereas with fast flux, double fluxing is possible where the name servers can be made point to constantly changing IPs of physical hosts located in disparate ASNs and countries. In practice, dynamic DNS domains map to a much smaller set of IPs than fast flux.
In this blog, we discuss the relationship between dynamic DNS domains and malware as we see it through mining our large DNS data sets. This can also give some perspective on how to address the problem of rogue dynamic DNS domains.
Dynamic DNS analysis
There are plenty of dynamic DNS providers, both free and for a cost. One good list of them is available here.
Dynamic DNS providers offer users to either register domains (2LDs), or subdomains (3LDs) under a predefined set of domains (2LDs). For instance, changeIP.com has a list of 155 domains, under which a user can freely register any subdomain of his choice (if it is available). For example, they have 1dumb.com and 2waky.com as pre-registered domains, and a user can register the hostnames johndoe.1dumb.com or myhomebusiness.2waky.com. changeIP also offers to users to register a domain under the following TLDs .com, .net, .info, .org, .biz, or .us. This latter choice requires an annual registration fee though. Similar offers are available from other providers like no-ip.com, afraid.org, Dyn.com (formerly known as DynDNS), etc. The common practice for attackers is to abuse the free subdomains.
For this study, we are interested in evaluating the amount of dynamic DNS domains we see in our daily authoritative DNS traffic and the percentage of malicious domains within, and also find out which subdomains are the most frequently abused.
First, we collect a sample of known malicious dynamic DNS domains, then, we compile a list of known pre-registered domains offered by a few dynamic DNS providers. For the malicious sample, the dynamic DNS providers that are mostly used are sitelutions.com, noip.com, changeip.com, and dnsdynamic.org. For the general list, we select known dynamic DNS providers such as: changeip.com, dnsdynamic.org, noip.com, freedns.afraid.org, dyndns.com, sitelutions.com, and 3322.org. These samples are not exhaustive as there are a lot more dynamic DNS providers (and more of them are abused). Some dynamic DNS providers are not limited to offering dynamic DNS services and act also as regular domain registrars, so a domain registered with a dynamic DNS provider and using its name servers might not necessarily be using the dynamic DNS service. We think, however, that these samples are representative enough for the sake of the analysis.
Next, we resolve the NS (name servers) of all domains in both samples. This list of name servers will be used to filter out the daily logs to identify domains using dynamic DNS. The logic here is that if we already know about a set of dynamic DNS domains, we can identify their name servers, and any new domain that uses these latter name servers will be assumed to be a dynamic DNS domain. The name servers from the general list give a trend on the percentage of total dynamic DNS domains in daily traffic, whereas, the name servers from the malicious sample provide an idea on the dynamic DNS traffic most likely to be malicious. The name servers associated with the sample of malicious dynamic DNS domains are: ns[1-3].changeip.org, ns[1-5].changeip.com, ns[1,2].dnsdynamic.org, nf[1-5].no-ip.com, and ns[1-5].sitelutions.com.
In the next step, we collect sample authoritative DNS logs from three resolvers in London, Ashburn and Singapore, where we have for every domain, its associated authoritative name server(s). For each day, we collect a sample of 1,518,782 domains on average with their name servers data. We collect logs for a week, then for each day, we identify those domains whose name servers fall within the list of name servers of dynamic DNS providers.
Finally, we compare the identified dynamic DNS domains against our blocklist (which is constantly updated with new data), and we show the results in the figures below. For the sake of this discussion, we call sortecielo.2waky.com a hostname, or subdomain or 3LD and 2waky.com a domain or 2LD. We can see in the figures, that there are 30,000+ dynamic DNS hostnames (3LDs) observed daily in the sample authoritative DNS traffic, and 3000+ corresponding domains (2LDs). For the same period, out of the same daily domain sets, we identify 1400+ malicious hostnames, and 200+ associated domains every day. This gives an idea about the density of the associations between a domain and its “children” subdomains.
Top abused dynamic DNS domains
In the following tables, we show the top 20 domains observed in daily traffic over a week as well as the top 20 domains used for malicious purposes over the same period. The counts next to the domain represent the number of hostnames under that domain. For example, on the first day, disqus had 18,294 hostnames of the form subdomain.disqus.com
In the next table, we show side by side, for a single day the top 20 dynamic DNS domains in general traffic and those that had malicious hostnames. We indicate in red, those domains that are present in both top malicious domains and top popular domains in a daily DNS traffic i.e. no-ip.org, no-ip.biz, no-ip.info, hopto.org, dlinkddns.com, myftp.org, myvnc.com, myftp.biz, and us.to. What is noteworthy is that some popular dynamic DNS domains for general legitimate uses are also the top ones abused for malicious purposes. This makes blocking the entire domain a little tricky as that would deny visibility to a lot of legitimate content. Notice that the dynamic DNS provider no-ip.com is the most used one for both legitimate and malicious intent. The domains no-ip.org, no-ip.biz, no-ip.info, hopto.org, myftp.org, myvnc.com, and myftp.biz all use no-ip name servers. The right hand table for top malicious domains is illustrated at the end of this blog as a graph representation.
[top 20 domains in general traffic on the left, and top 20 malicious domains on the right]
In the next table, we show the percentage of malicious usage of hostnames under each domain. For example, 56.71% of the 3LDs under hopto.org are malicious. Clearly, some domains are heavily used for malicious purposes.
Below, we show an illustrative graph of the mapping of hostnames to domains taken from the list of detected malicious dynamic DNS domains of one day. The largest connected component on the top left corner is that of the domain hopto.org which has 245 malicious 3LDs associated with it, e.g. spilak.hopto.org, arasispodmoonf.hopto.org, 1n12.hopto.org, etc. On the right of hopto.org is the cluster of no-ip.org with 125 malicious 3LDs, then no-ip.info on the right with 103 hostnames, etc.
We further took a sample of hostnames under hopto.org, and we determined that they were used to serve urls for Fragus Exploit kit, Best Pack Exploit kit, Incognito Exploit kit, Java and PDF exploits, leading to Trojan Fake AVs downloads. They were also used as CnC for W32/Dorkbot-EK, Rogue:Win32/Winwebsec, Trojan-Ransom.Win32.Mbro.ysw, IRC botnets, and also to serve phishing urls. In another sample, we observe that malicious dynamic DNS domains are massively associated with Blackhole exploits kit, Neosploit exploits, PDF exploits, and other exploits leading to the delivery of rogue antivirus, trojans, Backdoor SDBot, etc. It is worth mentioning that it is difficult to trace back the registration information of dynamic DNS domains that are in the form of subdomain.[predefined domain].tld because the whois information only records the registration information of the domain (the 2LD).
Note: The tools and platform I used for this study are our Hadoop dev cluster, Apache Pig, Python, and Unix shell tools (sed, awk, grep, etc).