Altaware, Inc.

Enterprise Networking & Security Solutions

Article - FBI and Rogue DNS Servers



Author: Werner Schmidt, CISSP
Date: February 2012

Executive Overview

Some of you may be getting Emails from your ISP that your IP address has been detected by the FBI as using rogue DNS servers. It's part of the two-year FBI investigation called Operation Ghost Click, as announced in New York. Rather than rehashing old information, you can also read the FBI letter about this.

Summary proactive security steps to take in general:
- Stop known bad stuff from coming in
- Detect unknown bad stuff (zero day malware) based upon behaviors in a virtual sandbox
- Stop your users from using unapproved or inappropriate applications
- Scan appropriate and approved applications for threats
- Stop your users from going to sites likely to hold malware
- Stop or alert on drive by downloads / installs
- Address encrypted traffic and consider decrypted inspection
- Look for botnet patterns for already infected systems within your network
- Run network core services (e.g. dns, dhcp, ntp) on hardened network appliances not general purpose computers
- Start addressing and looking at DNSSEC

Steps You Should Take to Remove Rogue DNS Servers

1) Block and log any DNS requests on your firewall to the known bad IP address blocks of known rogue DNS servers:
- 85.255.112.0 through 85.255.127.255
- 67.210.0.0 through 67.210.15.255
- 93.188.160.0 through 93.188.167.255
- 77.67.83.0 through 77.67.83.255
- 213.109.64.0 through 213.109.79.255
- 64.28.176.0 through 64.28.191.25
2) Investigate each affected source address and use malware removal software
3) Validate DNS requests have ceased via logs
4) Don't allow outbound DNS requests except from your approved DNS servers
5) Validate your PCs, servers and desktops are only using your approved DNS servers (check the FBI PDF file for more info)
6) Confirm that your existing malware programs are actually getting updates and not infected

Proactive Steps To Take
  1. Get a firewall with good IDP (Intrusion Detection and Prevention) to detect known malware coming in
  2. Consider PAN WildFire to detect zero day malware coming in
  3. Use a secure DNS appliance for all of your internal DNS requests
  4. Block all other outbound DNS requests except from your DNS server
  5. Validate all port 53 (udp and tcp) traffic from your DNS servers is really DNS traffic (application awareness)
  6. Look for already implanted malware using botnet detection capability

The Good News

It's easier than you think to address this, at Altaware, Inc. we sell, configure, support and service:
- Hardened appliances for DNS / DHCP and DNSSEC
- Next generation firewalls for IDP, known malware, zero day virtual sandboxing, application awareness, port and application validation and botnet detection
- Desktop / server / mobile malware protection and removal software

Other Resources

Good link from Sophos about DNS Changer malware.

Read the rest of the articles. Please contact us for more information!

Page copy protected against web site content infringement by Copyscape