Investigating a DDOS Attack
A global consultancy (The Client) experienced network outages resulting from a large-scale Distributed Denial of Service (DDOS) attack against their Domain Name Service (DNS) servers.
The Client engaged Nisos to leverage our access to external telemetry and analytic expertise not available to the Client in order to determine if the Client was specifically targeted by the DDOS attack and to perform potential attribution of the threat actors and attack sources.
The Client’s Information Security staff provided Nisos a network packet capture file containing a subset of DNS-based network traffic from the period in question. The Client’s Information Security staff also provided Nisos source IPs of interest and requested further insight into the attack.
Nisos’ analytic processes included reviewing the Client’s network packet capture (pcap) data and utilizing Nisos’ internally-held data sources. These sources generated broad based DNS traffic records containing queries with similarly crafted random sub-domains and query types as those identified in the provided capture file. Nisos collects and stores large amounts of threat intelligence data, netflow information, and other indicators of compromise (IOC) and leveraged this unique combination of data streams to perform the analysis. Nisos’ analytical methodology included:
- Capturing/receiving internal network traffic
- Identifying and analyzing network protocols and protocol compliance
- Isolating and identifying source and destination traffic
- Detecting and attributing network anomalies
- Identifying key IOCs
Nisos applied this methodology and leveraged historical data holdings in an attempt to identify the actors behind the attack and better characterize the attackers. Nisos was able to characterize the scale of the attack as follows:
- Based on the top 10 attack source IPs derived from the provided capture files, Nisos found that this DDOS attack occurred at a global scale and was not specific to the Client.
- Within the 24-hour period, Nisos identified over 800 non-Client related domains being queried on at least 83 DNS name servers with the similar methods from these top 10 attack source IPs.
This attack appeared to be very unfocused, as it was not targeting a specific industry, country, or other identifiable grouping. In this iteration, it appeared that the attackers sent queries for randomized and actual subdomains and hosts related to the various domains. The attackers generated large amounts of traffic with these sub-domain and host queries, including searches for A, AAAA, PTR, MX and TX records. These types of queries were indicative of domain enumeration attempts and represented a shift in methodology by the attackers.
As a result of the widespread nature of both the source IPs and domains targeted, Nisos assessed that this attack was likely performed by one or more individuals controlling a global botnet. The global distribution of sources observed included a variety of corporations, ISPs and wireless providers based on a cursory review of WHOIS results. The near simultaneous queries for similar hosts and subdomains targeting the identical domain zones from globally disparate sources was indicative of a distributed attack campaign.
This attack was particularly disruptive to the Client at the time due to the legacy DNS architecture in place which extended the Client’s public DNS zones and namespace into the internal corporate network through a single, non-partitioned or “non-split” design.
The Client took action on the following recommendations to improve its resilience against these types of attacks:
- Separate internal and external DNS functions into a “Split Horizon” architecture.
- Configure internal DNS name servers to host only internal zones and the Active Directory (AD) name space. Configure internal name servers to utilize separate external name servers as DNS forwarders and caching hosts to resolve internally sourced name queries for external resources.
- Create external DNS servers to host resource records for only externally hosted domains and hosts. Configure the external DNS servers to function as forwarding and caching hosts and to only accept forwarder requests from defined internal nameservers.
- Configure name servers to log client requests and forward log data to central monitoring and detection systems to enable threat hunting, incident response and other investigative functions.
- Scope external DNS name server hardware and system resources appropriately based on query volume and load. Harden and strictly control access to both internal and external DNS name servers.
- Separate internal and external network space to eliminate cross contamination of network segments.
- Create internal address space containing only RFC 1918 compliant private network ranges. Use internal addresses only for internally hosted systems and resources.
- Isolate externally accessible hosts and address space to external facing public network ranges. Create DMZs, VIPs, etc. to support controlled access to internally hosted systems from external sources. Allow internal systems to access externally hosted resources only via controlled and well-defined channels.
- For incident response and analysis, capturing network packet data with the full frame length ensures that all data portions of the packet are included. Doing so greatly improves the ability for responders to analyze the network traffic and gain greater visibility into the actual payloads/queries contained in the packet data.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact firstname.lastname@example.org