Skip to main content
  • Cybersecurity

Cybersecurity insights from CIRA DNS Firewall

By Jon Ferguson

As the internet continues to evolve with dizzying speed, cyber threats are evolving along with it. Take the sudden, large-scale shift to remote work in the early days of the pandemic. As IT departments scrambled to get their employees set up to work from home, malicious actors saw a golden opportunity to find new vulnerabilities to exploit. And exploit they did, targeting remote workers with a spate of new attacks, including COVID-related phishing scams, ransomware attacks and malicious Zoom-lookalike domains. 

Here at CIRA, improving the internet’s security and resiliency is an important part of our mandate. While we’re best known as the national not-for-profit that manages the .CA domain on behalf of all Canadians, we also develop and offer a range of cybersecurity and domain name system (DNS) services to help achieve a trusted internet for Canadians. Our Anycast DNS service helps protect one third of all top-level domains on the internet, while our cybersecurity services, such as CIRA Canadian Shield and CIRA DNS Firewall, protect millions of users within Canada.

At the end of last year, we decided to take a look under the hood of CIRA’s DNS Firewall service. If you’re not familiar with it, the service analyzes and monitors DNS traffic for hundreds of organizations across the country, protecting their networks, devices and employees from the growing list of cyber threats by ensuring that requests to malicious sites or unwanted content are blocked. The service protects over 3.1 million users across a variety of sectors, including municipalities, health care, financial services, higher education, K-12 schools, and organizations connected to CANARIE and its provincial and territorial partners in the National Research and Education Network (NREN).

By examining traffic patterns and requests to connect to malicious sites, CIRA can track known threats, assess new ones and develop strategies to mitigate emerging risks in networks across the country.

Our analysis of DNS Firewall data in Q4 of 2021 looked at blocked domain requests for over 600 organizations from September 15 2021 through January 15, 2022. In our quest to advance the national conversation about cybersecurity, CIRA is pleased to share key insights into the threats that organizations across the country are facing.

Malware and phishing the most blocked threats

In Q4, malware requests were the most common type of threats blocked, with a daily average of 48,000, followed by phishing domains with 13,285 and botnets, with 7,251. How can we tell if a site is bad news? Each time a user clicks a link or enters a URL in their browser, CIRA DNS Firewall double-checks whether the sites they’re trying to visit are malicious, using our leading-edge threat feeds. If we know the links are malicious, we’ll prevent users from accessing them.

Notable increase in blocks of unique malware-infected TLDs

The analysis of Q4 activity also uncovered a notable increase in the number of unique malware-infected domains blocked by the DNS Firewall, suggesting a corresponding rise in malicious activity.

During the period analyzed, there were a total of 39,219 unique domains blocked by DNS Firewall, with botnet-related blocks accounting for over half of the total (52.8 per cent). Malware-infected domains accounted for 21.8 per cent of the total blocks, while unique phishing domains made up just over a quarter.

Fifty per cent increase in malware and phishing blocks

Along with the increase in blocks of unique top-level domains, the analysis of DNS Firewall data showed that between September and November 2021 the average number of unique malware-infected domains blocked per day increased from 500 to around 750, a 50 per cent increase. The number of unique blocked phishing domains showed similar growth during this period.

While this trend did not continue throughout the month of December, the fact that a significant number of DNS Firewall customers are in the education sector suggests that the holiday break played a role in this late-year decline.

Government organizations recorded the highest number of daily botnet blocks

Government organizations saw on average the highest number of daily botnet blocks per customer, according to our analysis, followed by the enterprise and health care segments.

Blocking requests from botnet-infected sites is extremely important because botnets can lie dormant in the network and avoid detection for extended periods. When they are activated by an external command and control server, botnets can be used for many malicious purposes such as data theft, sending spam emails, online fraud campaigns and DDoS attacks.     

A single critical infrastructure operator accounted for nearly all botnet blocks in its home province

Nearly all botnet blocks in a single province were recorded by a single critical infrastructure operator with an extensive internet of things (IoT) network. IoT devices, like remote sensors and security cameras, are becoming increasingly common in industrial networks. But for all the advantages these devices introduce, they can easily be compromised and introduce significant risk for organizations trying to prevent cyber attacks.

The primary botnet detected was the notorious Mirai Botnet. Mirai attacks vulnerable IoT and smart devices and attempts to use them to launch a variety of different cyber attacks, including large-scale DDoS attacks. In total, Mirai accounted for over 32,000 blocks to 9 malicious domains for the infrastructure operator, primarily during a three-week period in December.

Prairie education sector customers block 165,000 e-banking botnet requests

Between November 19 (the start date of the botnet analysis) and November 30, 2021, DNS Firewall blocked over 165,000 requests to domains associated with Fobber, an e-banking Botnet that attempts to steal personal information. The blocks affected seven customers in higher education and K-12 schools in the prairies.

Ave Maria malware blocked more than half a million times in three days

First uncovered in 2018, the Ave Maria malware/spyware is a remote access trojan (RAT) that allows hackers to take over infected PCs and set them up with remote access capabilities. Once they have access, hackers can steal users’ personal information, including login credentials to online banking and social media sites.

Between November 17th and 19th, 2021, at a large university on the prairies, the CIRA DNS Firewall blocked an exceptionally high number of requests—582,344—to the domain staticimg . youtuuee . com, which has been associated with Ave Maria. Surprisingly, given the enormous spike in requests during a relatively short period of time, the domain was not detected elsewhere by the DNS Firewall before or after this incident.

Fifty-nine Log4j vulnerabilities successfully blocked

The CIRA DNS Firewall recorded a total of 59 blocks to domains that cybersecurity researchers have identified as being linked to exploitation attempts of a vulnerability in Apache Log4j 2, a ubiquitous Java library used for logging error messages in millions of web applications.

Discovered in mid-December 2021 and given the name “Log4Shell,” this high-profile vulnerability first came to light on sites catering to Minecraft and users, buthas since been discovered within organizations spanning virtually every sector. Log4shell is a remote code execution vulnerability (RCE) that allows hackers to execute code remotely on infected devices for the purposes of downloading malicious software or opening a backdoor connection to a server.

Volume of phishing and malware blocks rises in higher education sector

DNS Firewall customers in the higher education sector saw notable increases in the volume of both phishing and malware blocks. One central Canadian university saw the highest volume of blocked phishing requests, a 15 per cent share of the total, while another single college saw more than 1.6 million blocks of malware-infected domains, representing 27 per cent of the total.

Phishing the most common threat affecting municipal governments 

For municipal government customers of DNS Firewall, phishing was the most common threat, with an average of 979 blocked DNS requests recorded daily across this segment (or approximately 14 blocks per day per customer on average). The DNS Firewall also blocked 820 requests linked to malware-infected domains on a daily basis. Overall, there were 2,360 unique blocked domains affecting this segment during the quarter.

Key takeaways

Canadians’ privacy, safety and trust in institutions is threatened daily —and the CIRA DNS Firewall data above shows that public and private organizations are facing an increased volume of sophisticated cyber threats.

This trend will only continue as hybrid and remote work becomes the norm, and cyber criminals find new ways to exploit this increased attack surface. This makes protecting Canada’s internet infrastructure more important than ever so that schools, hospitals and governments can continue to operate.

To help information technology and cybersecurity professionals tasked with combatting cyber threats, we’ve collected a series of resources to show how protected DNS and regular cybersecurity awareness training can help safeguard your organization’s network:


Read more about how the CIRA DNS Firewall service can help protect your organization from malicious cyber threats.

About the author
Jon Ferguson

Jon Ferguson leads the Cybersecurity & DNS services unit at CIRA that builds upon the organization’s world class DNS services to provide cybersecurity services and training to Canadians and the global internet community. For the past 15 years, Jon has worked in product leadership roles for organizations building globally distributed Internet of Things and Cybersecurity solutions.