As volumes of good old fashioned spam decrease, purveyors of electronic junk mail have turned to more malicious forms of it to turn a quick buck. A favorite channel for delivering those pernicious payloads has been the Domain Name System (DNS) for the Internet.
Spam can be roughly classified by the size of its target audience. Old fashioned spam, such as pharmaceutical spam, try to get its targets to buy something — Viagra, for instance, or Rolex watches. The idea behind it is to cast as large a net as possible to rope in buyers.
Phishing spammers are like long-line fishermen. They bait their spam with a trusted source in hopes of hauling in victims with a connection to that source. For example, a spam message may be aimed at customers of Bank of America.
The spammer doesn’t know who on their mailing list has a BOA account. They just know there are lots of BOA customers on the Web so a substantially sized spam campaign should reach a respectable number of them.
Spear phishing is the narrowest of all spam campaigns. Typically, the spammer has obtained or compiled a list of email addresses that they know are linked in some way. It could be the members of corporate department or a government agency. Then they cleverly craft a message specifically tailored to the group.
Both phishers and spear phishers frequently embed malicious links in their spam aimed at directing anyone who clicks on them to a bandit website where they can infect a visitor’s computer, pry confidential information from them or both.
Over the years, firewall makers have made great strides in blocking spam at the network perimeter. However, spammers who can game DNS have become an increasing problem for firewalls. That’s because DNS — the system for associating domain names with IP addresses — is so highly trusted that network administrators rarely filter or redirect public DNS responses.
The increased exploitation of DNS by spammers has given rise to the DNS firewall. What’s attractive about this defense measure is not only can it be easy to implement but economical to set up, too, since most networks have a key component of the firewall in place: the DNS Resolver Server.
That server does the grunt work of tying domain names to IP addresses. By adding a dynamically updating list of malicious locations on the Internet to the server’s functions, pernicious activity can be blocked on a network. The server modification can be set up through a vendor or through the use of some scripts, good data sources and a consult with a DNS administrator.
DNS firewalls can be very effective because DNS is at the heart of most malicious software operations. For example, malware will use domain names to seek rendezvous points to receive new malicious payloads. They also use them to receive instructions from command and control servers operated by Web miscreants. A DNS firewall can identify those poisonous connections, block them and cripple any malware trying to use them.
Although DNS firewalls aren’t new, they don’t seem to have been able to make it on the radar screen of many network security professionals. That’s unfortunate because they can be very effective in thwarting Black Hat attacks on networks.
“By implementing this one simple layer of defense, enterprises can stymie over 80 percent of today’s malware and commensurately reduce their risk of information loss,” writes Rod Rasmussen, a founder of Internet Identity.
“While not a silver bullet,” he adds, “this approach is certainly going to be highly effective and should be considered an essential layer in any enterprise’s security posture.”