Most malicious domains have a short lifespan, so DNS greylisting can be a useful tool for defenders LAS VEGAS – At the BSides Las Vegas conference on Wednesday, a hacker by the name of Munin, and his research partner Nik LaBelle, are releasing a tool and giving a talk on an interesting concept – DNS Greylisting.The idea isn’t new, but how the process is being applied could help administrators defend their networks from Phishing attacks and other threats.Phishing can be mitigated with blacklists, but that requires that the Phishing domain be known to the organization, and by the time that happens – it’s too late. Whitelisting works too, but only for organizations that communicate with a limited number of domains.That’s when Munin came to a realization. The workflow for many Phishing attacks requires the victim to make a DNS request that is controllable on the victim’s network, and would be sufficiently different from regular traffic, constituting a detectable signal. Combine this with research that suggests most malicious domains are only active for about 24 hours, and a workable layer of protection presents itself.“This suggests a potential avenue for attack: much like email greylisting takes advantage of bad SMTP sending habits on the part of spammers to mitigate spam, DNS greylisting delays resolution of previously-unseen domains by [user configurable, but by default] 24 hours to mitigate phishing attacks,” Munin explained to Salted Hash. “This means most phishing links will refuse to resolve for long enough that the [person conducting the Phishing attack] will have moved on to easier targets. Additionally, by logging these requests, the administrators can see spikes in requests to previously-unseen domains – allowing them notification of potential issues before they become issues.”Moreover, when Munin and LaBelle did some additional research to discover ways to tighten their tool and avoid potential workarounds, they discovered some interesting facts concerning Ransomware.“Ransomware infectors also need to ‘call home’ to C&C servers to send the keys, and the domains they use for this call-home change, algorithmically, on a schedule of hours. This suggests that greylisting will work to mitigate, and possibly neutralize, many ransomware infections – and the more advanced they are, the better this works on them,” Munin explained.Overall, he added, the point of Greylisting is to offer defenders a way to force attackers to work on their schedule – not the other way around. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe