5 DNS Attack Vectors You Need To Be Wary Of – And How To Defend Against Them

CyberCrimeSecuritySecurity Management

Chris Marrison, consulting solutions architect, Infoblox, explains how to protect your organisation against some of the most sneaky and damaging DNS attacks

The importance of the Domain Name System, or DNS, can hardly be overstated – without DNS, network devices stop working. If a company loses Internet connectivity it can’t do business online. It loses revenue, customers and brand reputation.

At the same time, DNS-based Distributed Denial of Service (DDoS) attacks are constantly evolving and affect both external and internal DNS servers. Methods range from amplification/reflection, floods and simple NXDOMAIN to highly sophisticated attacks involving botnets, chain reactions and misbehaving domains.

The frequency of these attacks is on the rise and traditional protection is ineffective against these evolving threats, making this a dangerous time to neglect DNS security. To help organisations guard against them, here’s a brief overview of five common types of DNS attacks:

tunnel1. DNS tunnelling

This attack uses DNS as a covert communication channel to bypass the firewall. Attackers may also tunnel through other protocols like SSH, TCP or Web within DNS. DNS tunnelling enables attackers to easily pass stolen data or tunnel IP traffic without detection, making data exfiltration a particular threat. A DNS tunnel can also be used for as a full remote control channel for a compromised internal host.

2. TCP SYN floods

This type of attack uses the three-way handshake that begins a TCP connection. After this, the attacker sends spoofed SYN packets using the source IP address of bogus destinations. The server sends SYN-ACKs to these bogus destinations, but never receives acknowledgement back from these destinations and the connections are never completed. These half-opened connections exhaust memory on the server, causing the server to stop responding to new connection requests coming from legitimate users.

poison3. Cache poisoning

Here’s how corruption of DNS cache data is caused in a typical cache poisoning attack. First, the attacker queries a recursive name server for the IP address of a malicious site. The recursive server does not have the IP address and queries a malicious DNS resolver. The malicious resolver then provides the requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g. www.mybank.com)

The recursive name server then caches the rogue IP address as the address for www.mybank.com, then replies to the user with the cached rogue IP address. The client then connects to the site controlled by the attacker, thinking it is www.mybank.com. Information such as login credentials, passwords, or credit card numbers can be captured using this method.

4. Distributed reflection DDoS

This attack vector combines reflection and amplification, using third-party open resolvers in the Internet as unwitting accomplices. The attacker crafts spoof queries which are specially designed to result in a very large response, and sends them to the open recursive servers. This has the effect of DDoS-ing the victim’s server.

lock5. Domain lock-up

Resolvers and domains are set up by attackers to establish TCP-based connections with DNS resolvers then, when the DNS resolver requests a response, these domains send “junk” or random packets to keep them engaged. They are also deliberately slow to respond to requests, which also works to keep the resolvers engaged. This effectively locks up the DNS server resources, exhausting the DNS server and blocking legitimate requests.

Traditional defences don’t tend to protect against these types of DNS attacks. For example, the problem with traditional firewalls is that port 53 is often left open, the port reserved for DNS queries. This means the firewall cannot protect against DNS-based DDoS attacks such as the amplification and reflection attacks explained above.

Traditional solutions also require extremely high compute performance to accurately detect DNS-based attacks, making deep inspection impractical. The cost and the number of distribution points required for this type of solution are both too high for this to be a realistic option.

How much do you know about Internet domain names? Take our quiz!

Read also :

Click to read the authors bio  Click to hide the authors bio