Malware Increasingly Uses DNS As Command and Control Channel to Avoid Detection, Experts Say
Read moreMost malware-generated traffic that passes through these channels can be detected and blocked at the network level by firewalls or intrusion prevention systems.
However, that's not the case for DNS (Domain Name System) and attackers are taking advantage of that, said Ed Skoudis, founder of Counter Hack Challenges and SANS fellow, during a presentation on new attack techniques at the conference.
The DNS protocol is normally used for a precise critical function -- the translation of host names into IP addresses and vice-versa. Because of this, DNS traffic doesn't get filtered or inspected by traffic monitoring solutions and is allowed to flow freely through most networks.
As DNS queries gets passed from one DNS server to another until they reach the authoritative servers for the respective domains, network-level IP blocklists are useless at blocking them.
Skoudis has seen malware that receives instructions via DNS responses being involved in two recent large-scale breaches that resulted in the compromise of millions of accounts. He expects more attackers to adopt this stealthy technique in the following months.