Using Passive DNS to Avoid Collateral Damage During Takedowns and Seizures




Passive DNS methods, including those enabled by Farsight Security's DNSDB, represent extraordinarily powerful tools in the fight against online criminal activity. Passive DNS makes it easy for law enforcement agencies to "flip over all the online rocks" under which criminals may try to hide. This is a well-understood classic use case for Passive DNS.

At the same time, Passive DNS methods should also be used (a) to help protect innocent third parties from collateral damage, and (b) to thereby help protect investigators and Law Enforcement Officers (LEOs) themselves.

That is, while civil investigators and LEOs are obliged to aggressively tackle cyber criminals (and Farsight applauds and fully supports their efforts to do so), civil investigators and LEOs have a second, equally important duty. This second duty is to make sure that their online operations are narrowly and precisely targeted, thereby avoiding harm to innocent third parties whenever possible. This is no different than the responsibility a police officer has to use good judgment and careful marksmanship if/when they have to draw their duty weapon.

Because of the visibility that Passive DNS provides, proactive use of Passive DNS can act as insurance against unexpected "online minefields," thereby reducing or eliminating the possibility of collateral damage, negative publicity, and costly settlements. When officers are properly trained to routinely check Passive DNS prior to executing takedowns or seizures, potentially expensive mistakes can be avoided before they accidentally occur.

Performing Passive DNS checks prior to conducting a takedown or seizing a system is quickly becoming the new de facto standard of professional care and due diligence.

Are you using Passive DNS to ensure that your officers and your agency stay safe and avoid problems when conducting online operations against cyber criminals? You should be.

IP Addresses: Investigate, Corroborate

Before taking action against a particular IP address, an officer should first check the Passive DNS data to identify the domain names known to be using that IP address. In the simplest of cases, only a single domain name may be associated with that IP. If that domain name is in fact the domain name targeted for agency attention, collateral damage considerations may be de minimis.

Many times, however, there may be multiple domain names sharing an IP address. When that is the case, an officer must carefully check to ensure that ALL domains associated with that shared IP address are ones consistent with the anticipated agency action. This due diligence is essential today because shared IPv4 addresses may host a mix of sites, some entirely legitimate, as well as others that are clearly not. For example, an IP address might be used by web sites for a small furniture maker, a local softball team, a community theatre troupe, a chiropractic clinic, etc., but also by a site selling scheduled controlled substances (e.g., narcotics or other dangerous drugs) without a prescription.

If a law enforcement agency takes action against a shared IP address in a good faith effort to take down that illegal drug site, they may also take down all the other innocent sites that happen to share that same IP address. (This would be kin to what would happen if a police agency seized an entire 100 unit apartment complex simply because one apartment was being used by a drug ring.)

Of course, a single IP address might have multiple domain names associated with it, but ALL of those domain names might be dedicated to various nefarious activities. In that case, taking action against that IP would be both consistent and efficient as a means of dealing with that illegal behavior.

What About Operations Targeting A Domain Name?

When targeting a domain name, civil investigators or LEOs should check Passive DNS to ensure that the domain name isn't in use by large numbers of subdomains. That is, some online businesses offer free or low cost web hosting for sites under a domain name owned by the business itself, rather than requiring each customer to register and use a domain name of their own. In some instances, there may hundreds or even thousands of individual web sites hosted under a single shared domain name. If a shared domain name of that sort is taken down, collateral damage may be widespread and result in significant negative publicity, just as in the shared-IP case previously discussed.

Agency action against domain names that may be used for authoritative name servers is another area where special care should be taken. For example, imagine the hypothetical name servers ns{1,2}

If the domain were to be summarily seized or taken offline, that might impact ns{1,2}, AND any/all the other domains that rely on those name servers. These sort of subtle dependencies can be easily identified in Farsight Security's DNSDB using Passive DNS methods, if investigators bother to check prior to taking action.

Finally, DNSDB enables an analyst to better understand just how busy a domain may be. If a domain is largely moribund, there may be little point in bothering to take action against it, but on the other hand, if a domain is obviously hugely busy, that may be a warning sign that additional due diligence and analysis should take place before any action is taken.

In Closing

Farsight Security's DNSDB can really help when it comes to enabling investigators to aggressively tackle the bad guys while keeping innocent third parties – and agencies and their personnel – safe.

Joe St Sauver, Ph.D. is a Senior Distributed System Scientist for Farsight Security, Inc.