DNS blackhole

What is a DNS Blackhole?

April 28, 2016 | By

Malware is a tricky creature. We despise its pervasiveness, marvel at its cleverness, and often have nightmares about its effects. Unfortunately, the malware problem is only expected to multiply. That is, unless we do something serious about it. With Gartner predicting that 6.8 billion connected devices will be in use this year, or 2.5 devices per person (a 30 percent jump from last year), sophisticated malware attacks will likely start popping up on everything from critical infrastructure to smartphones, medical devices and even cars.

It’s a playground out there for attackers, with threats coming from many sources and sneaking past even the most informed users’ defenses. If you don’t know how to eradicate malware from your network once it gets in (because let’s face it – it’s not a question of if, but when the malware will get in), now is the time to learn.

Because most defenses are aimed at trying to prevent malware from coming in, companies are often not prepared to deal with it when it does get in. Containing it and eradicating it across an entire network calls for a very different approach. This is where a DNS blackhole like Strongarm can come in handy.

How a DNS Blackhole Works

Once malware hits your systems, its mission is to “phone home” to its command and control servers to check in with the attacker. Once an attacker confirms positive control, they begin the act of taking over your systems and stealing credit card numbers, intellectual property and customer data. But if you have a blackhole in place, the malware can’t call home and is effectively neutralized.

Also referred to as a “sinkhole,” a DNS blackhole works by using the DNS to trap and isolate malware. There are two main approaches blackholes can use to intercept and remove malware:

  • Block the malware from “phoning home”, disabling it from continuing on its path to invade, hold hostage, or destroy; or
  • Block, but then carry on the conversation with the malware

The latter approach is most effective in eradicating malware from your networks, because the longer the blackhole is able to communicate with the
source after its been intercepted, the more it can learn about the malware’s location and intentions. With that information, it’s possible to develop a more effective and directed response.

This is exactly what Strongarm’s cloud-based DNS blackhole does. Unlike other blackholes, Strongarm’s actually speaks malware, meaning it can continue communicating with the malware long after it’s been intercepted. By intercepting the malware’s communications, the blackhole can gather data from the victim to determine exactly where it is, what it’s trying to do, and what parts of your system may be affected. Armed with this information, businesses can pinpoint the infection’s exact location(s) to eradicate it and preventing it from doing damage.

How a Blackhole Knows What to Contain

So how does a DNS blackhole like Strongarm’s know which domains to block and contain? We pay attention to where attackers are setting up their infrastructure and then use that information to take control of the malware when it tries to “phone home”. The moment a victim attempts to connect to its controller, the traffic is routed to the blackhole for removal, instead of to the attacker’s systems for them to complete their malicious deeds.

At Strongarm, it’s our job to continuously add new lists and domains to our blackhole so that customers can stay ahead of today’s threats without having to worry about tracking them manually, or worse, doing nothing at all. We do this by leveraging the major open source lists of known malicious domains; domains discovered by our research team, and intelligence provided through our partner network.

We believe that the most sound approach to the malware problem is not only building a strong defense on the outside, but on the inside of the network as well. Deploying a DNS blackhole adds a layer of protection that protects you once malware makes a victim of you.

Want to see the Strongarm DNS blackhole in action?
Sign up for a free account
and we’ll walk you through how Strongarm pinpoints, disarms, and removes malware.