Palo Alto Networks Enhances Advanced DNS Security with New Malicious TDS Detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L0 Member

Palo Alto Networks Enhances Advanced DNS Security with New Malicious TDS Detection

New Advanced DNS Category: Malware-TDS (Malicious TDS)

 

 

What is a Traffic Distribution System (TDS)?

A Traffic Distribution System (TDS) is a marketing tool used to optimize affiliate links by connecting different traffic sources, such as the knowledge of a customer’s most used web pages, device, and IP address, to the relevant advertisements and sites. In other words, TDS is a system that handles traffic management to determine where to route visitors for the most profit in marketing. 

 

How Traffic Distribution Systems Pose Cybersecurity Threats

In cybersecurity, Traffic Distribution Systems (TDS) are often utilized through URL redirection and DNS. Domain owners or threat actors can use these systems to target victims or redirect them to other TDSs. Many malicious hosts on the internet function as redirectors, particularly TDSs that remain active for extended periods and receive traffic from new attack campaigns over time. Moreover, the creators of TDSs—whether malicious or not—intentionally obscure the structure and operation of their networks, making it difficult to understand their inner workings. These systems can also be monetized through redirected traffic.

 

Case Study: Malicious DNS through Malvertising

Our research team uncovered a malvertising traffic distribution system that redirects visitors to various subpages associated with vkmarketing2[.]com. From there, visitors are redirected to dubious sites promoting loans, prizes, and other suspicious offers.

 

How does Palo Alto Networks Precision AI™ help Identify, Detect, and Block Malicious TDS?

Our threat research team has developed a system to detect malicious use of TDS via DNS and URL redirection. The system identifies intermediary domains rather than entry points and determines their maliciousness. Leveraging the characteristics of these malicious TDS chains, we utilize advanced machine-learning techniques to classify such threats in firewall logs. 

 

When will the malicious TDS detection be available in ADNS Security?

Malicious TDS Detection was recently released on January 29, 2025.

 

What Action Is Needed to Benefit from Malicious TDS Detection?

Customers do not need to make any configuration changes unless they wish to modify the default or configured action of the DNS Malware Domains category. As long as the category malware is blocked, customers will be protected from Malicious TDS techniques. 

 

What is the Threat ID and Threat Name for Malicious TDS?

To assist customers in identifying and managing malicious TDS threats, below are the details:

  • Threat ID: 109,003,003
  • Threat Name: Malicious_TDS:<FQDN>

 

Does Palo Alto Networks Have a Test Domain for Malicious TDS?

Yes. To facilitate testing and familiarization with the new detection capability, we have included a test domain: test-malicious-tds.testpanw.com

 

Sample Threat Log Entry for Malicious TDS Detection: 

Below is the snippet of how Malicious TDS detection entries appear in the threat log of the firewall: 

 

Monitor -> Logs -> Threat

 

Fig 1_Malicious_TDS_palo-alto-networks.jpg

 

Fig 2_Malicious_TDS_palo-alto-networks.jpg

 

 

  • 400 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors