DNSANOMALY - DNS Anomaly

Method description

This method detects suspicious communication in the DNS traffic. The method notifies about large data transfers using the TCP port 53 (caused by DNS zone transfers or by potential exfiltration of sensitive data from the company environment). The sensitivity of this detection can be adjusted in the TCPTransferLimit option.

This method is extended by the detection of usage of the DNS servers that are not allowed in the monitored network. This extension is activated by the choice of the filter DNSServers that define IP addresses of the allowed DNS servers.

The next extension is based on a simple model of used DNS servers. The purpose of this extension is to notify you that the monitored devices started to use DNS servers that were not widely used in the past. The LearnCycles parameter defines how many five-minute intervals it takes for the method to train the model that is used for detection. The MinimalRatio parameter defines the number of connections that the DNS server must have for its communication to be considered usual. It is possible to exclude the DNS servers in the monitored network from detection by setting the ServersToExclude parameter.

This method consists of the following submethods:

• TCPHighTraffic: Monitors the amount of DNS data transferred using a TCP protocol. If any device in the network exceeds the user-defined threshold of transferred data, it is reported.

• ForbiddenServer: Reports communication with a DNS server that is not a part of the user-defined list of allowed DNS servers. This detection method is active if the DNSServers parameter is set.

• UnusualServer: Reports the communication with a DNS server that has not been widely used by a client device. The detection is based on the statistics of data transferred between the client and DNS servers.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP addresses. The right place for traffic monitoring is the Internet connection line.

Method parameters

• WithoutResponse: Report of the communication to unauthorized or unusual DNS servers (even if there is no reply).

• TCPTransferLimit: Threshold of a minimal amount of data transferred by the DNS service using the TCP protocol (in bytes).

• EnabledTCP: Name of the filter that defines the IP addresses of the devices that are allowed to transfer data by the DNS service using TCP (for example, DNS servers for zone transfers).

• DNSServers: Name of the filter that defines the IP addresses of the DNS servers that can be used in the monitored network.

• PolicyExceptions: Name of the filter that defines the IP addresses of the devices that are allowed to communicate with arbitrary DNS servers.

• LearnCycles: Number of the 5-minutes cycles intended for training of the classifier. No event is reported during this time period. If the value of this parameter equals 0, the detection of usage of unusual DNS servers is inactive.

• MinimalRatio: Minimal ratio of the number of usages of the DNS server by the respective IP address to consider this server to be commonly used (in percentage).

• ServersToExclude: Name of the filter that defines the IP addresses of the DNS servers that are ignored within the classifier.

Assigned filter

The filter is used for restriction of the source IP addresses (for detection of usage of unusual and restricted DNS servers), and source or destination IP addresses (for detection of DNS TCP transfer).

Interpretation of results

This method is capable of detecting abuse of the DNS service for other undesirable activities, which typically include tunneling of the network traffic through the DNS protocol for a malicious purpose (for example, data exfiltration). A sudden change in the usage of DNS servers could indicate a malware infection.