Dynamic DNS, or DDNS, was created to make the internet more flexible. It allows legitimate users to update the IP address of a hostname automatically as it changes, which is helpful for remote access, personal web hosting, and small business connectivity. Unfortunately, that same convenience is often used by cybercriminals.
Attackers use DDNS to move their command and control infrastructure, rotate phishing domains, or hide data exfiltration servers behind constantly changing IP addresses. This behavior makes traditional blocklists less effective and allows bad actors to reappear under new addresses within minutes.
ThreatSTOP’s Security, Intelligence, and Research team continuously monitors for these malicious behaviors. One of our detection systems focuses on identifying DDNS abuse by finding infrastructure that cycles through many domains within short time windows.
This detection identifies IP addresses that are being used by multiple DDNS hostnames, often five or more, across known DDNS providers. In normal situations, an IP address should map to only a few hostnames. When it suddenly starts hosting many different domains, it signals suspicious automation or misuse.
Our correlation engine analyzes both live DNS activity and historic DNS data to find these overlaps. By combining these views, we can detect IP addresses that support botnets, phishing kits, remote access tools, and other forms of automated abuse.
The outcome is a continuously updated list of DDNS abuse IPs that our systems have determined to be part of fast-moving and difficult-to-detect malicious networks.
Once these behaviors are detected, ThreatSTOP automatically transforms the indicators into protections across our product line.
DNS Defense Cloud and DNS Defense stop DNS queries that match known malicious DDNS activity, preventing the connection before it ever resolves.
IP Defense sends the associated IP addresses to routers, firewalls, and other network devices to block outbound traffic to the same bad infrastructure.
This combination ensures that even if a malicious domain changes its IP address or an IP begins hosting new domains, customers remain protected. By cutting off both the domain resolution and the underlying IP connection, ThreatSTOP prevents malware from communicating, phishing pages from loading, and data from leaving protected environments.
Cybercriminals depend on speed and agility. DDNS gives them a way to move faster than many traditional tools can detect. ThreatSTOP’s continuous correlation process removes that advantage. Instead of tracking only domain names, it observes the behavior of the infrastructure itself.
This proactive approach detects suspicious patterns as they form. It turns DNS traffic into actionable intelligence that strengthens customer protection automatically and continuously.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today.
Connect with Customers, Disconnect from Risks.
|
Technique ID |
Technique Name |
Description |
ThreatSTOP Protection |
|---|---|---|---|
|
T1071.004 |
Application Layer Protocol: DNS |
Attackers use DNS for command and control |
DNS Defense Cloud and DNS Defense block known DDNS-based C2 domains |
|
T1568.002 |
Dynamic Resolution: Domain Generation Algorithms |
DDNS used for dynamic infrastructure |
DNS Defense and IP Defense block correlated DDNS IPs and hostnames |
|
T1041 |
Exfiltration Over C2 Channel |
Stolen data sent through DDNS tunnels |
DNS Defense Cloud and IP Defense disrupt exfiltration attempts |
|
T1090.003 |
Proxy: Multi-hop Proxy |
DDNS used to redirect C2 traffic |
IP Defense blocks proxy IPs identified through DDNS correlation |