A few days ago, one of our large DDI customers called our account team and said that their network was under active attack. Their Information Security Department was in what they called “response security mode.”
They discovered this by observing unusual DNS request logging in their homegrown Splunk systems, which were actively tracking malware queries originating from their networks and directed toward domains in Eastern Europe.
Further investigation revealed some unmanned machines that were likely part of a botnet. This customer has a worldwide Infoblox DDI deployment, but the systems of interest were primarily four forwarders—two in America, one in the United Kingdom, and one in China—which handle all their outbound DNS traffic.
They had heard about Infoblox DNS Firewall, which is designed to handle exactly this kind of infection, and they wanted to try it.
The usual Infoblox engagement cycle goes through evaluation in a lab environment followed by a sale and then eventual production deployment. However, in this case, the customer’s security staffers wanted to deploy the system on their production network right away!
So like the cavalry in an old western movie, Infoblox DNS Firewall rode to the rescue, with a two-hour Webex call with the networking and infosec teams, during which we configured the customer’s grid with DNS Firewall and also equipped them with an Infoblox Reporting server. Thanks to the magic of GRID and the simple management interface, by the end of the call they had the DNS firewall in action stopping the DNS queries to the bad destinations.
Not only that, the tight integration between Infoblox Reporting and DNS Firewall, and Infoblox one-click DHCP Fingerprinting makes problem isolation fast and easy, and the customer was able to isolate the infected machines.
This is not the first time DNS logs have helped identify a potential threat. Back in 2013, when Facebook was hacked, PC Magazine reported:
The bug was uncovered when the Facebook Security team flagged a suspicious domain in its corporate DNS logs and tracked it back to an employee computer. An examination of the laptop revealed the malicious file, prompting a wider search—and the discovery of more malware.”
A lot of the discussion around the recent Target attacks points to the fact that it’s not the sophistication of the attack that caused it to create this impact—it’s the process disconnects that kept IT from knowing what was going on. The signs could be right in front you, but who has time to sift through millions of DNS logs, and does the security team, which probably doesn’t manage the core DNS infrastructure, even have access to them?
So there are two takeaways from this cavalry-to-the-rescue story. One is, check those DNS logs! They could give you the early warning you need to stop an attack before it does serious damage. The other is, from the detailed information it captures on hostnames, operating systems, IP addresses, and more to state-of-the-art tools like DNS Firewall and DHCP Fingerprinting, an Infoblox solution is your safest bet.