ISPs Can Deter Botnets Using a Reverse IP/DNS Lookup Tool

The 2016 distributed denial-of-service (DDoS) attack on Dyn, one of the largest domain registrars, revealed a new generation of botnets.

15:01 25 February 2020

Traditionally, botnets consist only of a network of compromised computers. Dyn’s case was different as the attackers also used infected Internet of things (IoT) devices as part of their botnet. Smart TVs, radios, cameras, and baby monitors were among those used in the attack.

Whatever the makeup of the botnet, however, one thing remains consistent: Most of the time, device owners have no idea that their devices have been hacked and used in spamming activities and DDoS attacks. But there’s someone who can detect suspicious activities and do something about them, and that is the Internet service provider (ISP).

In this post, we explored how a reverse IP/DNS lookup tool can help ISPs track bot activity and deter DDoS attacks and other forms of cybercrime that botnets are involved in. But first, let’s take a look at the latest botnet-related incidents.

The Current Botnet Landscape

The most recent developments in the botnet landscape are quite alarming. Experts found that the number of botnets used to distribute versatile malware such as remote access Trojans (RATs) doubled in 2018. Devices infected with this type of malware can fall under the complete control of threat actors, allowing them to do anything they want to the systems.

Researchers believe that financial gain is the primary motivation behind the use of multipurpose or versatile malware such as RATs. Also, botnets are quite expensive, that is why they are used for various purposes and paired with RATs. That way, their owners can make enough money to cover what we can consider “overhead costs.”

Botnets can come equipped with a host of functions, including spam sending, malware distribution, and DDoS attack capabilities. While this ability allows botnet owners to switch business models, it also opens an opportunity for passive income as botnet owners can rent out their tools to other criminals.

There are so many ways by which cybercriminals can program botnets. In fact, more than half of the botnet web traffic has ties to malicious activities. But it isn’t impossible to discern between real and botnet traffic, especially for ISPs that employ reverse IP/DNS lookup tools.

How ISPs Can Use Reverse IP/DNS Lookup to Spot Malicious Traffic 

If there’s anyone who knows firsthand what regular, non-malicious Internet traffic looks like, that would be an ISP. And as is often said, knowing the enemy is half the battle. ISPs can not recognize malicious traffic but also pinpoint what IP addresses are involved. They can then perform a reverse IP/DNS lookup to see all domains associated with each IP address to identify compromised device owners. Because they would likely have these owners’ names on record, they can quickly contact them to address the issue.

To clarify things some more, let’s look at a concrete example. We ran 193[.]70[.]43[.]220 on Reverse IP/DNS API. Note that this IP address had been reported 3,776 times on AbuseIPDB as of this writing for ties to malicious activity. The API returned two associated domains—vps651295[.]ovh[.]net and 220[.]19-193-71-43[.]eu.

At this point, an ISP can take any or all of the following next steps:

• Communication: Since most, if not all, the domains used in DDoS attacks are legitimate but compromised, the ISP can get in touch with their owners and their hosting providers to let them know that suspicious traffic is originating from their IP addresses.
  
  

• Investigation: The ISP can inspect the domains further by checking if any of them are part of publicly available blacklists. If it finds proof of wrongdoing, blocking them is an option.
  
  

• Prevention: If the ISP detects abnormal traffic activity, it can temporarily block access to and from suspicious IP addresses. That way, if the unusual traffic has anything to do with an ongoing DDoS attack, the ISP effectively thwarted the attempt.
  
  

Final Words

With the help of reverse IP/DNS lookups, ISPs can disrupt hacking attempts and other more damaging attacks like DDoS campaigns. While it’s understandable why ISPs can’t just block IP addresses that deviate from typical Internet activities because doing so can lead to revenue loss, they must weigh the consequences of being lax and allowing even the most suspicious traffic to go through.

Reverse IP/DNS lookup solutions can help them strike a balance. When integrated into existing security systems, it can strengthen their cybersecurity infrastructure while allowing them to protect their clients from becoming part of a botnet.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.