Researcher releases DNS Greylisting tool for Phishing defense

Most malicious domains have a short lifespan, so DNS greylisting can be a useful tool for defenders

dead letter office
Credit: Library of Congress

LAS VEGAS - At the BSides Las Vegas conference on Wednesday, a hacker by the name of Munin, and his research partner Nik LaBelle, are releasing a tool and giving a talk on an interesting concept - DNS Greylisting.

The idea isn't new, but how the process is being applied could help administrators defend their networks from Phishing attacks and other threats.

Phishing can be mitigated with blacklists, but that requires that the Phishing domain be known to the organization, and by the time that happens – it's too late. Whitelisting works too, but only for organizations that communicate with a limited number of domains.

That's when Munin came to a realization. The workflow for many Phishing attacks requires the victim to make a DNS request that is controllable on the victim's network, and would be sufficiently different from regular traffic, constituting a detectable signal.

Combine this with research that suggests most malicious domains are only active for about 24 hours, and a workable layer of protection presents itself.

"This suggests a potential avenue for attack: much like email greylisting takes advantage of bad SMTP sending habits on the part of spammers to mitigate spam, DNS greylisting delays resolution of previously-unseen domains by [user configurable, but by default] 24 hours to mitigate phishing attacks," Munin explained to Salted Hash.

"This means most phishing links will refuse to resolve for long enough that the [person conducting the Phishing attack] will have moved on to easier targets. Additionally, by logging these requests, the administrators can see spikes in requests to previously-unseen domains - allowing them notification of potential issues before they become issues."

Moreover, when Munin and LaBelle did some additional research to discover ways to tighten their tool and avoid potential workarounds, they discovered some interesting facts concerning Ransomware.

"Ransomware infectors also need to 'call home' to C&C servers to send the keys, and the domains they use for this call-home change, algorithmically, on a schedule of hours. This suggests that greylisting will work to mitigate, and possibly neutralize, many ransomware infections - and the more advanced they are, the better this works on them," Munin explained.

Overall, he added, the point of Greylisting is to offer defenders a way to force attackers to work on their schedule – not the other way around.

Salted Hash sat down with Munin to talk about his Greylisting tool (foghorn) and to get a general overview of his talk. Check it out in Episode 3 of the  Salted Hash video series:

Cybersecurity market research: Top 15 statistics for 2017