Solution by need

Detect Invisible Malicious Traffic

Problem

There are 79 million malware domains in the Cyber X-Ray database. Approximately 85% of these domains do not have an IP address. Below is an example of a malicious traffic report found in a passive state. Since domains do not have IP addresses, they are recorded as 0.0.0.0. That is why infected machines whose botnet C&C servers are constantly trying to connect to other security devices that work in Layer 7 (application layer) such as firewalls, proxy devices, and IPSs cannot be detected.

It is our belief that DNS analytics of corporate networks allows making security analysis of and detecting sophisticated attacks on the entire network. We have made it a commitment of ours to develop products that help you achieve this.

Domains without an IP address

1) Malicious Domains

Certain malicious domains are only activated when they are about to be used to command a zombie army or botnet. These domains do not have an IP address when left unused, resulting in them being undetected in protocols other than DNS. This malicious traffic is often command centre connection requests generated by infected zombie devices. The lack of an IP address on these domains makes malicious traffic go unnoticed on devices such as IPSs and URL filtering solutions.

2) DGA (Domain Generation Algorithm)

Another type of malicious activity that can only be viewed with DNS log analysis is associated with Domain Generation Algorithm (DGA) queries. DGA domains are those generated instantly by the machine according to the system clock. Domains are registered only when command is given and the botnet C&C’s IP address is entered. With the OTP logic used in two-factor authentication (2FA), domains are queried only a handful of times.

By means of the above, the owner of the zombie army aims at two things:

1- To prevent the command centre connection domains from being detected by cyber security researchers.

2- To unlock the zombie army at predetermined times.

DNSSense's Solution

Some malicious activities described above can only be seen as a result of DNS Log analysis because of the fact that infected clients are trying to connect the domains that do not have an IP address.

DNSSense DNSEye shows infected devices that are constantly trying to connect to the command center. These are suspicious activities and needs to be analyzed by SOC teams carefully.

Learn more about DNSEye
Solutions by need
Collect Your DNS Log With Ease
Detect DNS Tunnelling Attacks
Detect Invisible Malicious Traffic
Defend From Firstly-Seen Domains
Save 95+% in DNS Log Processing Costs With Smart SIEM Integration
Protect Remote and Roaming Clients
Find the Real Machine That Generates Malicious DNS Traffic
Find the -Escapers- in Your Network
338a Regents Park Road, Office 3 And 4, N3 2LN London, United Kingdom
COMPANY
About UsWhy DNSSenseLeadersContact SupportContact Us
OUR PRODUCTS
DNSEyeDNSDomeCyber X-Ray
EXPLORE
BlogMediaDownloadFAQ
STAY IN TOUCH
LinkedInYouTube
DNSSENSE DNS IP ADRESSES
45.129.19.19
45.129.19.20
Terms of ServicePrivacy Policy
We value your privacy
By clicking “Accept Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept CookiesDenyPreferences