A case for DNS
The growth of mobile subscriptions is great for the industry, but an increasing portion of this consumption is coming from criminals. Doug Miller, of Nominum, says the solution to mobile network security exists – you just have to look for it
Consumers using mobile networks are gobbling up resources at such a voracious pace that mobile operators are expanding networks almost from the day they are put into service.
Beyond the wired network elements, in the not-to-distant future, there will be a very real need to make more of the spectrum available to keep these users mobile or become much more efficient at managing the limited space available. To put this into context, consider that there are more mobile subscriptions globally than homes with electricity.
This growth is great for the industry and the economy, but an increasing portion of this consumption is coming from Internet criminals trying to take advantage of the astronomical rate of growth.
According to the Global Analysts Group, mobile cyber-criminals and crimes have proliferated at a rate nearly 50 times faster than on fixed-broadband. Stopping cyber-criminals is one way to help manage the mobile resource consumption properly. But the solution needs to be airtight and efficient.
Mobile devices have built-in inherent protections against most malware, but when human engineering rears its head, that’s when we get creative exploits that can wipe bank accounts clean and leave not a trace of evidence for the consumer. The evidence, though, literally lies at the networks’ feet – or at the Domain Name System level (but more on that later).
To undertake these malicious efforts, criminals must set up drop-off sites for malware to upload personal information in addition to the command and control sites required for communication and co-ordination. Accessing these locations leaves behind fingerprints which reveal their presence.
Moreover, new technologies such as QR codes and shortened URLs have created new ways for cyber-thieves to trick us into going places we wouldn’t normally go.
This trend foreshadows what is to be a long-term full-scale proliferation of security threats to users around the globe as mobile networks become faster.
A growing number of tablets and other non-traditional ‘mobile equipment’ are all connecting to faster mobile networks and are doing more mainstream computing functions such as banking, shopping and managing personal information. All this data now residing in mobile cyberspace makes it the perfect new playground for criminals and hackers.
Security options that may have worked well for a PC user on a fixed broadband network are simply not the right answer for a mobile user, primarily because such solutions gobble up bandwidth and more precious compute resources on mobile devices (not to mention battery life). This is an enormous turn-off for both the mobile network operator and the consumer.
In short, ‘band aid’ fixes are not built for the fast-paced mobile network. For network operators, aggregate bandwidth consumption for seemingly inconsequential application updates will add to the total cost of ownership (TCO) and only add to the resource consumption issues previously outlined.
There are options, then, but what is the best solution? The Domain Name System (or DNS) could easily be that solution. Many years ago, the DNS was thought of as a tool to navigate the Web without the need to type in long strings of numbers (IP addresses).
A solution we take for granted today has evolved from a traditional protocol to an efficient network infrastructure tool that provides high performance and, in the case of more evolved offerings, integrated security layers. In addition, mobile carriers can build upon their existing DNS network to implement security platforms that detect and thwart hackers. Beyond the ability to provide a reliable Internet experience, the DNS’s ability to secure networks should be a part of the mobile operator’s security playbook.
An overlooked solution
From a network security perspective, there is also the issue of stopping outbound spam – at its source. The key to solving this is to make sure the ability to send spam from unsuspecting users (bot-infected devices) is made increasingly difficult or even impossible.
Network providers should be interested in this for a number of reasons. Most importantly, if their email servers hit a block list it can prevent all emails, both legitimate and unwanted, from being received by organizations that use the block list. As block lists are broadly used, this issue can be immediate and pervasive. Accordingly, there lies damage to the brand and real costs associated with support calls from unhappy users, lost customers and wasted network resources.
There are some common techniques for controlling outbound spam, but an often overlooked option is to control outbound spam with a DNS-based solution. Since most spam today is sent by bot-infected hosts, the trick is to identify which hosts on a network are communicating with known botnet command and control systems. It’s equally easy to block these communication channels so infected systems, whether via mobile phones, tablets or dongle-connected PCs, can’t get any instructions, thus they can’t send spam.
There is little impact on the DNS, and there is no need for additional equipment in the network, such as security-specific appliances – thus managing TCO.
Leveraging the DNS as a network-based security solution offers a multitude of benefits to mobile network operators. Most importantly, it allows these operators to stay competitive while demonstrating an active commitment to protecting their customers – enhancing their safety online and improving their overall Internet experience, all while preserving precious mobile resources.
Doug Miller is general manager for mobile solutions at Nominum. The company’s chairman and chief scientist, Dr Paul Mockapetris, invented the Internet’s Domain Name System (DNS)