Building the Case for Black Hole DNS
by James McQuaid
In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.
After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (http://blog.fireeye.com/research/2008/11/the-case-against-url-blacklists.html), and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) (http://malwaredomains.com/). This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.
I examined malware domains active between October 10th and November 10th 2008, and found that as the
life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.
After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.
After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.
At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.
The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.
Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks.
emergingthreats.net provides the most comprehensive set of open source Snort signatures which are
effective in real-time (http://doc.emergingthreats.net/bin/view/Main/AllRulesets).
Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.
BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).
You can easily implement BHDNS in conventional DNS. malwaredomains.com provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at emergingthreats.net (http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples).