When "Customers" Attack DNS

Be real. A Communications Service Provider’s (CSP’s) customer will not use their home to attack the Domain Name System (DNS). They might as well unplug from the Internet. Yet, customers get infected, CPEs get violated, and miscreants all over the Internet reflect attacks off CSP customers to attack others. This abuse happens every day. It is part of the “noise” of the Internet. It is also a major threat to the Internet.  What does a CSP do when 30% of their customers are infected with malware?  What happens if a “threat-actor” takes a fraction of that 30% and attacks the CSP’s infrastructure?  CSPs need tools to take action to protect themselves. This blog will walk through CSP malware mitigation consideration. CSPs taking action now will keep their customers from threatening the CSP’s business.

Reality Check – CSP Customers Constantly Get Malware Infections

And these infections are not their fault. They are victims. It is not their fault that a determined miscreant finds a vulnerability in the “connected” TV, hijacks the DNS on the vulnerable CPE, then loads malware on that TV. Days later, that TV is one of 100 thousand bots in a DoS attack against a bank in another country. The CSP customer would still sit there watching the latest Football match.

Most CSPs see the malware infections on their network. CSPs get complaints from all over their network (their customers are attacking others). CSPs are stuck. They don’t know where to start. CSPs are paralyzed by the staggering volume of the number of malware-infected customers. Luckily, CSP peers are open to sharing their experiences to minimize the risk from malware-infected customers. These recommendations are mindful of the cost of customer communications and the need for automation. In summary, these recommendations are:

Recommendation 1 – Daily Habit of Action. Don’t wait for the big malware “events.” Take time every day to investigate, identify, mitigate, and remediate malware issues with your customers.

Recommendation 2 – KPIs for Customer Infection Risk. Risk is measurable. A Key Performance Indicator (KPI) is a potent tool to drive for change in an organization.

Recommendation 3 – Turn the DNS Resolver into a Security Tool. DNS is used to victimize the customer through phishing, malware, browser plugins, and a range of other attacks. DNS is used to spread the attack through the customer’s home network. Policies in DNS which check the domain name to see if it is on a blacklist has proven to be a powerful and cost-effective tool to minimize the risk to a CSP’s customers. 

We’ll get into detail with each of these recommendations in a later section.

It is Easy to See the Risk

Some would say that it is hard to “measure” the impact of infected customers. Experience shows it is easy if you know where to look. For example, Akamai’s DNSi – AnswerX customers have a dashboard report of the daily top IP Events and IP Usage. These are the top customers who are heavily loading the CSP’s DNS Resolver. IT IS NOT NORMAL FOR A CLIENT TO HEAVILY LOAD A DNS RESOLVER! This heavy load is a leading risk indicator. Customers with a heavy DNS load indicates infection, abuse, or something broken.

Customers DNS Image One.png

The AnswerX tables shown above are examples of turning a dashboard into a security tool. In the above tables, you can see the daily queries of the top 100 IPs hitting the recursive resolvers. This Top Tracker provides useful information on where to look. Taking the first IP as an example: 7375285/24 hours = 307303.5416/60 minutes = 5121.725694 / 60 seconds = 85.362 Queries per second. 

A human is incapable of doing this many queries per second over a sustained period. This KPI gives a pretty good indication that this machine is infected and further analysis needs to be made to determine the kinds of queries the customer is doing. If infected, most queries will be for strange domains that an operator has probably never heard of. Once the analysis is done, the infected user can be notified about the infection along with some instructions on how to deal with it. Over time, this practice will ensure the infections are kept to a minimum and reduce the attack surface on the CSP subscriber base.

AnswerX is protected from these abusive loads. AnswerX provides automated – per-user – rate limiting functionality that prevents DNS abuse by blocking excessive queries before they become a problem for the Operator. These rate limits can be customized to fit any use case and protect both the subscribers and the resolver itself. But, the abusive traffic is still a problem for the network.

The good news is that this same list can be used as the daily habit of “addressing customer malware.” Pick a goal of addressing the top ten customer IPs on this list. This is a measurable goal. Remediating the malware from a customer will help you learn the latest attacks and lessen the load on your infrastructure.

Remember, infected customers are a risk to your CSP’s business. Infected customers are not just a problem for the individual. The CSP is at risk. The Threat-Actor can shift their attack to the CSP. The Threat-Actor can attack other CSP customers. The Threat-Actor can attack other CSPs and countries – causing havoc on the Internet and opening the door for retaliation. It is not healthy for a CSP to be the “battlespace” of a cyber-war.

Malware Infections Can Impact the Brand & Reputation

CSP Brand and Reputation are also at Risk. There are new “measurements” which illustrate the “risk” of an operator based on their compliance to best security practices and Malware infections. Tools like CyberGreen use publicly visible data everyone on the Internet can access to build a risk model.

 Customers DNS Image Two.png

What is your CSP’s “security risk” score? “Why would I connect to this ASN when half their customers are infected with malware?” The good news for CSPs is that organizations like CyberGreen and Shadowserver Foundation provide infection data and metrics as a public service. This allows CSPs to start their clean up customer malware “daily habits” using these reports. Some organizations use these public dashboards as their internal KPIs. Others use the APIs to these groups and display the “infection rate” on their custom built NOC/SOC dashboards. Akamai’s suite of Security and Personalization Services (SPS) products can also provide relevant and custom KPIs tailored to your organization needs.

The key for CSPs is that the world can also see their customer malware infection rate. It is not “invisible.”

How are CSP Customers Attacked?

The CSP’s customers are both targets for crime and tools for a crime. Phishing, malware, scams, data theft, identity theft, extortion (pay or we’ll expose you) and now physical theft is widespread. The criminal sits on one side of the planet and victimizes the customer on the other side of the planet. In parallel, the Threat-Actors turn the CSP customer’s devices into “criminal tools.” They use devices for DoS attack, SPAM, Cryptocurrency mining, scanning for new infections, criminal mapping, botnets, and other imaginative uses. The CSP’s risk is from a combination of the two – customer getting victimized and customer’s resources being used for a distributed criminal cloud.

Don’t let the vastness of the threat paralyze your ability to act. We can return to a simple tool as seen in the AnswerX Dashboard.

Customers DNS Image Three.png

Each of these nine IPs is one of the following:

❏    Customer’s Infected with Malware. Threat-Actors will infect the customer’s device and use it to perform a DNS function. It could be something as simple as web-scraping or something as complicated as a DoS attack. Malware can also use DNS as a data exfiltration tool – sending data out over the DNS channel. Any of these could show up on the Daily Top list.

❏    CPE Violations. Mirai and malware break into the home router (CPE). This malware either infects the home router/CPE or reconfigures it for criminal functionality. Threat-Actors have a better chance of hiding their activities on the home CPE. These same Threat-Actors know that the normal home user has zero knowledge about how to upgrade or patch their home CPE. Furthermore, many providers install these devices with the factory default credentials, which makes compromising the CPE trivial. If you deploy CPEs with default credentials, you should seriously reconsider stopping right now.

❏    Reflection Attacks. A packet has a destination and a source address. If you “spoof” the source address, the device returns the packet to that specific source, not the source who sent the packet. This turns every device on the Internet into a potential “reflector.” Change the source port number to 53 and you now have a way to reflect abuse and a DoS Attack.

Customers DNS Image Four.png

❏    Pseudo Random Subdomain (PRSD) Attacks. PRSD attacks are a specific type of reflection attacks which abuse the customer’s CPE – abuse the CSP’s DNS Resolver – and attack the DNS zone of the ‘target.’ PRSD attacks would show up on the Daily Top list.

Customers DNS Image Five.png

Each of these attacks can be seen through a simple AnswerX Dashboard which displays the Daily Top devices. Malware, CPE, Reflections, and PRSD attack vectors are threats that can be seen with no new security monitoring. All it takes is to re-think what the existing dashboards illustrate. 

Allocating Time to Protect Customers

There are a whole series of actions CSPs need to deploy to make it harder for Threat-Actors to victimize and exploit their customers. Many of these are simple cost effective BCPs which require no new equipment. For example, inbound and outbound filtering of Exploitable Ports has helped protect major US Operators for over a decade. These are applied to the CSP’s edge routers. The key to security success is time. Time allocated every day to deploy the security BCPs, investigate customer infections, and mitigate security risk on the network.

Time is a critical success factor for all three recommendations. Time would be needed every day to spend 30 – 60 minutes investigating why customers are on the Daily Tops list. The KPI dashboards would determine the time needed to significantly reduce risk. Saving time becomes the core driver behind a DNS Resolver Security tool.  

Saving Time by Reducing Security Risk

We know Threat-Actors will put domain names into their phishing, spam, and pop-up messages. We also know that Threat-Actors will use domain names for their malware command and control. This misuse of the domain name allows us to turn the DNS Resolver into a security tool. The DNS Resolver is in a position to block bad domains. For example, a phishing email arriving on a CSP Customers computer for could get blocked, counted, and dropped by the DNS resolver. This approach disrupts phishing attacks and reduces the risk to a CSP’s network by protecting customers from betting victimized and abused. It is why Akamai has put the time and effort into the DNSi & SPS solutions.

Customers DNS Image Six.png

Don’t Believe the DNS Resolver is a Security Tool? Akamai can prove it! Protect your Staff! Phishing, Malware, Botnets, and other security threats are targeting your employees, customers and systems. A threat-actor with the DoS resources could shift their targeting anywhere. Add Akamai Enterprise Threat Protection (ETP) to your tools to protect from these threats. ETP is part of Akamai Enterprise security solution suite that minimizes the risk to the people inside the organization. Ask Akamai to set up a free ETP trial as part of your DoS review. They can also share Akamai’s self-journey to uses these Akamai Enterprise Security Solutions to protect our organization.

Once we’ve proved that the DNS Resolver is a security tool, turn around and protect your customers. Akamai’s solution enables CSPs to protect their customer and provide new revenue services. Akamai complete solution of DNSi, SPS Secure Consumer, SPS Secure Business, and SPS ThreatAvert includes the ability to automatically notify customers when they might be infected with malware. Save time. Save Money. Reduce the Security Risk from Customer’s who are being victimized and abused.


We have outlined the multiple attack vectors possible for compromising customer devices to attack either the provider itself or as a distributed malicious tool to launch an attack on other organizations. As mentioned, security is an on-going, everyday task that must be done consistently and effectively. By leveraging the tools and methods in this article, you can have a healthier network and be a better citizen of the global Internet. So don’t waste time and start leveraging your available tools to improve your infrastructure security!

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Akamai DNS Team. Read the original post at: