Skip to main content

Unknown dynamic DNS provider traffic

ID:unknown_dynamic_dns
Data type:DNS, HTTP
Severity:
Low
-
High
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic associated with Dynamic DNS (DDNS) services. While often used for legitimate purposes, threat actors exploit DDNS for malicious activities such as command and control (C2) communication. DDNS allows rapid domain name changes, helping adversaries avoid detection and blocklists. This technique obscures malicious infrastructure, creates disposable domains, and enables quick setup and teardown of attack infrastructure. Threat actors favor DDNS for its low cost, ease of automation, attribution difficulty, and evasion capabilities.

Impact

DDNS abuse threat actors to maintain persistent access to compromised systems, evade detection, and adapt their infrastructure rapidly. This flexibility allows adversaries to conduct long-term campaigns, exfiltrate data, and deploy additional malware while remaining undetected. The use of DDNS can complicate incident response efforts and make it challenging to block malicious traffic effectively.

Severity

SeverityCondition
Low
Traffic associated with unusual DDNS providers
Medium
High volume traffic
Medium
Traffic exhibiting beaconing behavior
High
Traffic to a blocklisted domain or IP

Investigation and Remediation

Investigate the source and destination of the DDNS traffic to determine if it's legitimate. Review logs to identify any unusual patterns or volumes of DDNS queries. If unauthorized or suspicious DDNS usage is confirmed, isolate the affected systems, block the associated domains, and conduct a thorough forensic analysis to identify potential compromise and the extent of any malicious activities.