- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
New Advanced DNS Category: Malware-TDS (Malicious TDS)
A Traffic Distribution System (TDS) is a marketing tool used to optimize affiliate links by connecting different traffic sources, such as the knowledge of a customer’s most used web pages, device, and IP address, to the relevant advertisements and sites. In other words, TDS is a system that handles traffic management to determine where to route visitors for the most profit in marketing.
In cybersecurity, Traffic Distribution Systems (TDS) are often utilized through URL redirection and DNS. Domain owners or threat actors can use these systems to target victims or redirect them to other TDSs. Many malicious hosts on the internet function as redirectors, particularly TDSs that remain active for extended periods and receive traffic from new attack campaigns over time. Moreover, the creators of TDSs—whether malicious or not—intentionally obscure the structure and operation of their networks, making it difficult to understand their inner workings. These systems can also be monetized through redirected traffic.
Our research team uncovered a malvertising traffic distribution system that redirects visitors to various subpages associated with vkmarketing2[.]com. From there, visitors are redirected to dubious sites promoting loans, prizes, and other suspicious offers.
Our threat research team has developed a system to detect malicious use of TDS via DNS and URL redirection. The system identifies intermediary domains rather than entry points and determines their maliciousness. Leveraging the characteristics of these malicious TDS chains, we utilize advanced machine-learning techniques to classify such threats in firewall logs.
Malicious TDS Detection was recently released on January 29, 2025.
Customers do not need to make any configuration changes unless they wish to modify the default or configured action of the DNS Malware Domains category. As long as the category malware is blocked, customers will be protected from Malicious TDS techniques.
To assist customers in identifying and managing malicious TDS threats, below are the details:
Yes. To facilitate testing and familiarization with the new detection capability, we have included a test domain: test-malicious-tds.testpanw.com
Below is the snippet of how Malicious TDS detection entries appear in the threat log of the firewall:
Monitor -> Logs -> Threat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |