The domain name system (DNS) is a critical component of the Internet, translating domain names such as www.itbusinessedge.com into Internet protocol (IP) addresses. However, since most standard security measures do not block DNS traffic, cyber criminals are able to infiltrate networks and gain access to proprietary data. In addition to launching attacks, cyber criminals can also exploit an organization’s DNS infrastructure to cause outages.
In a survey conducted by Vanson Bourne, 66 percent of U.S. respondents reported that their organization suffered a DNS attack within the last 12 months. Even more troubling, respondents indicated that the attack resulted in loss of Internet service (63 percent), an increase in customer complaints (42 percent) and the loss of confidential customer information (33 percent).
Over the past year, some of the world’s most highly trafficked media and social networking sites have been disrupted by DNS attacks, with hackers seizing control of their websites by changing information in the organizations’ DNS databases. Recently, both websites for Lenovo and Google were victims of “domain hijacking.” During the attack, visitors to Google’s Vietnamese site were redirected to another site. Visitors to Lenovo’s site were maliciously redirected to a defaced site controlled by the well-known hacker group, Lizard Squad.
In this slideshow, Cloudmark CTO Neil Cook shares five of the top DNS threats, their potential impact on organizations, and best practices for identifying and preventing such attacks.
Managing Top DNS Threats
Click through for the top DNS threats and tips for dealing with them, as identified by Cloudmark CTO Neil Cook.
DDoS Attacks Using DNS Amplification
Cyber criminals are able to launch distributed denial of service (DDoS) attacks through DNS amplification. DDoS attacks were the most common attack reported by organizations surveyed by Vanson Bourne, with 74 percent saying they’ve experienced such an attack. Typically, cyber criminals will set up a malicious domain with very large resource records, with the goal of executing a DNS amplification attack. Once the malicious domain is created, queries go to open DNS resolvers with spoofed source IPs and responses then go to spoofed IP address of the targeted servers, causing a DDoS attack. The volume of response traffic overwhelms the target, disrupting normal communication. Such attacks can result in costly downtime and negatively impact critical functions.
Network operators should take steps to prevent traffic from leaving their network with source IPs that are not local to that network. If a network operator’s own resolvers are configured to perform recursive lookups, they should restrict access to the resolvers to requests coming only from their local network and have the ability to identify floods or requests related to DNS amplification.
Botnets and Advanced Persistent Threats
Botnets and advanced persistent threats (APTs) all make use of DNS as part of their mechanisms to contact their command and control infrastructure. This can use sophisticated techniques such as domain generation algorithms, or fast flux domains to hide the command and control infrastructure and make it resistant to takedown by security companies or law-enforcement agencies.
Organizations should use defense-in-depth techniques to identify and mitigate bots and APTs in their network; this can involve using threat intelligence feeds from multiple sources, deployed at multiple points in the network (IDS, DNS firewall, web filter), as well as deploying security software that detects likely command and control traffic in protocols such as DNS, HTTP, etc., and look for anomalous patterns in network and application traffic that could indicate infection.
DDoS Attacks Using DNS NXDOMAIN Flood
A DNS NXDOMAIN flood attack, which is also known as a water torture attack, targets an organization’s DNS servers. This type of attack involves a flood of maliciously crafted, impossible-to-solve DNS lookup requests. Intermediate resolvers also experience delays and timeouts while waiting for the end target’s authoritative name server to respond to the requests. These requests consume network, bandwidth and storage resources. They can also tie up network connections, causing time outs.
Organizations should monitor their recursive DNS servers looking for anomalous behavior such as spikes in the number of unique sub-domains being queried, or spikes in the number of timeouts or delayed responses from a given name server.
In DNS hijacking attacks, cyber criminals are able to subvert individuals’ DNS requests, directing them to their own compromised DNS server. In such attacks, users may find themselves directed to a spoofed website. DNS hijacking can be used for phishing purposes such as directing users to a fake bank website in order to collect sensitive personal and financial information. Some ISPs use DNS hijacking to introduce ads or collect statistics on users.
To avoid DNS hijacking, change the default password on your router, which makes it difficult for attackers to hack your router using the default password. Additionally, you should always upgrade the firmware when updates are available.
DNS Tunneling and Data Exfilitration
DNS tunneling exploits an organization’s lack of security and monitoring of DNS traffic to bypass expensive security controls. Hackers or knowledgeable insiders are able to use an organization’s DNS infrastructure to bypass network access or security controls to create tunnels that access the Internet directly, without being scanned by traditional security solutions. DNS tunneling uses DNS queries and responses to send data that cannot otherwise be sent via traditional network connections. The tunnel consists of a client inside a restricted network and a server that acts as an authoritative DNS server, using an agreed-upon domain name as the basis for queries and responses. Even if the user is not malicious (they may be using the tunnel to access websites that are normally locked-down), they are exposed to malware, phishing and other threats because their traffic is not subject to the usual security checks.
An especially malicious use of DNS tunneling is for data exfiltration, where sensitive internal information is sent out of a local network by using DNS tunneling techniques. This can lead to major data breaches of the sort seen recently at Target, Home Depot and Anthem.
The best form of defense against DNS tunneling and data breach over DNS is to continually monitor DNS traffic, ideally in a real-time manner. Tunneling can be detected from offline solutions such as SIEMs, but this requires all DNS lookups to be logged, and any analysis tends to be manual, time-consuming and after the fact. Deploying real-time detection of tunneling allows instant detect and mitigation of the threat.