There are 79 million malware domains in the Cyber X-Ray database. Approximately 85% of these domains do not have an IP address. Below is an example of a malicious traffic report found in a passive state. Since domains do not have IP addresses, it is recorded as 0.0.0.0 . That is why you can not see infected machines constantly trying to connect botnet cc in other security devices that work in Layer 7(Application Layer) such as firewalls, proxy devices, IPS etc... We believe that with the help of the analysis of DNS data in corporate networks, the entire network’s security analysis can be made and sophisticated attacks can be detected. We are working hard to develop products for this.
Domains without an IP address
1- Malicious Domains
The reason for this is that some malicious domains prefer to be active only until they command the zombie army, and they do not have an IP address at other times, resulting in them being undetected in protocols other than DNS. This malicious traffic is often command center connection requests generated by infected zombie devices. The fact that the domain does not have an IP address causes no event about malicious traffic on devices such as IPS, URL Filter.
2 - DGA (Domain Generation Algorithm)
Domains Another malicious activity that can only be viewed with DNS Log analysis is DGA (Domain Generation Algorithm) domain queries. DGA domains are domains generated instantly by the machine according to the system clock. Domains are registered only when command is given and the Botnet CC IP address is entered. With the OTP logic used in Two-factor authentication (2FA), domains are queried only a few times.
In this way, the owner of the zombie army aims at two things;
1- To prevent the command center connection domains from being detected by security researchers.
2- Unlocking the zombie army with a timer.
Some malicious activities described above can only be seen as a result of DNS Log analysis because of the fact that infected clients are trying to connect the domains that do not have an IP address.
Roksit DNS Visibility product shows infected devices that are constantly trying to connect to the command center. These are suspicious activities and needs to be analyzed by SOC teams carefully.
Try Roksit free. No credit card required.