• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Spikes and Query Patterns

By Thomas Mathew
Posted on June 10, 2015
Updated on August 3, 2020

Share

FacebookTweetLinkedIn

A spike in DNS queries can sometimes be an indicator that a certain domain is either hosting malicious content (such as an exploit kit) or serving as a command-and-control (C2) server. However, relying solely on spiking traffic is often not enough. Many benign websites have spikes in traffic that are not related to malware activity but instead a popular blog post or a referral from a big traffic website (reddit, NYTimes, etc). This blog post will be examining the different types of spikes we see across OpenDNS’s worldwide resolvers.
One simple method to filter out benign domains that have a spike in DNS queries over an hour is to look at the historical trend of DNS queries to that domain. This filter looks at the average traffic received by a domain over the course of a specified time window and discards domain which have an average traffic over a certain threshold. This crude filter works well in removing domains who historically have had near constant traffic with few deviations. The class of domains removed by this filter are rarely malicious.
Simple filters can help bubble up websites that are potentially malicious such as
Screen Shot 2015-03-03 at 11.45.42 AM

*[.]escortlarankaratr[.]net – a compromised domain hosting the nuclear exploit kit. However, challenges still lie. The following domain is a good example of a false positive that can occur.
Lets examine the following query pattern for the domain umuthuzmeleri[.]files[.]wordpress[.]com:
Screen Shot 2015-03-03 at 11.51.00 AM

Here is an example of a domain experiencing a sharp spike in traffic. However, a manual investigation of the site reveals that it is not hosting any malicious material (at the time of the spike). Ideally, we would like to see if looking at query data we can find some information that would allow us to identify this spike as benign. Once again looking at the historical query history of the domain provides some valuable information. Let us zoom into the data for a week snapshot before the spike:
Screen Shot 2015-03-03 at 11.55.27 AM

Historically this domain received low traffic but in a consistent pattern that was repeated over a week. This type of traffic pattern is most likely associated with a normal website. Our first filter was a basic filter which removed domains that had an average hourly DNS request count over some threshold. Our second filter will capture the periodic behavior of request traffic and filter out domains that exhibit periodic behavior for some specified time window. We create a composite signal which represents the average behavior of periodic DNS queries to websites with low traffic. A cutoff filter is created which filters out domains which have periodic signals which deviate by small error constant from the original composite signal. A more sophisticated filter could be created but the goal is to create a quick filter which will allow us to rapidly prototype and test out ideas. This filter serves as an easy and quick way to filter out a large class of false positives. Development and analysis of the more complicated filters used will be subject of another blog post.
There is another piece of information that we can use to help augment our decision making. Let us see if any of the clients requesting the domain during the large spike are on any known spam blocklist. Interestingly, the majority of clients participating in the spike were seen on blocklists created by Project HoneyPot. The spike could be a possible attempt by an attacker to perform a mail inject or brute force a password. As a result, we do not classify this domain as malicious but instead monitor for suspicious redirects coming from the website. This could be a sign that the spammers who created the spike were suspicious in compromising the website. Relying on traffic patterns and well established blocklist we can help identify and label different types of spikes that we see.
Future work involves designing a method to cluster the different types of spikes. Clustering provides an analyst an easy way to visualize patterns within spiking domains. It also serves as useful preprocessing step before further classification.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella