In the last year, 90% of business organizations faced some form of DNS attack. The cost of a successful DNS attack averages around $1.1 million — no small sum. A survey of 1,000 organizations found that DNS-related attacks led to:
These victims faced, on average, 7.5 DNS-related attacks every year. What is the fallout of these attacks? Compromised systems caused service downtime for 73% of the dependent apps. Worse, 29% of the services actually had data stolen from them.
So, let’s take a look at the risks in the Domain Name System. We’ll start with how DNS works, look at common attack patterns and finally look at defense.
How DNS works (and why it’s under attack)
Domain Name System (DNS) simplifies communication between:
- Hosting servers that run a web service
- The client endpoint device
Web servers and endpoint devices that connect to the internet are associated by unique numerical identifiers called the Internet Protocol Address — the IP address. Internet request queries and responses transmit between the IP addresses of the associated Web servers and the user devices.
The format of the IP address (32 alphanumeric hexadecimals for IPv6 and 12 digit numeric IPv4) is machine-friendly and provides a way to send data across the network. However, these identifiers are not human friendly. So, these are translated into the Uniform Resource Locator format – URLs as we know them. URLs are much easier to remember and use.
DNS resolution systems
The mechanism of translating between the URL and IP Address format is called Domain Name Service (DNS) resolution.
Of course, the Domain Name System also provides a hierarchical and decentralized design to manage the mapping between web pages and IP Addresses.
DNS threats & attacks
The simple design of the DNS resolution system is adopted universally. Because it’s universal, it is a target: cybercriminals frequently exploit vulnerabilities in DNS implementations to disrupt internet access to vulnerable hosting servers.
Let’s look at the most common DNS security risks and threat vectors:
Once the DNS protocol establishes connection to a Web server, cybercriminals can covertly encode non-DNS data, such as executable commands, into the DNS query. This information is carefully encoded to bypass security measures within the DNS resolution system.
Once the Web server extracts this data, it may issue malicious commands to the server to enable unauthorized access and data extraction to third-party servers.
DNS spoofing & cache poisoning
Hackers may also spoof the DNS. To do so, they send incorrect information to you, the user, before the DNS resolver can return a correct query response. The outcome? They’ve redirect you to a malicious website.
The DNS resolver may also cache the fraudulent IP address mapping, directing all future Web queries to a fraudulent website instead. This can cause a widespread redirection of user traffic to the fraudulent IP address until the DNS resolver refreshes cache and removes the malicious IP address mappings.
Distributed Denial of Service (DDoS) & amplification
DDoS is a cyberattack that involves a flood of website traffic directing to a website such that it is rendered inaccessible to legitimate users. The process involves DNS amplification that overwhelms a target Web server with internet traffic.
DNS amplification is performed by sending small queries to the Web server that result in a large response. For instance, the UDP packet may contain a spoofed IP address of the target victim and request the DNS resolver to return an amplified response. A large number of bots send similar requests through a DNS resolver, which then transmits amplified information to the target Web server.
This renders the Web service inaccessible to legitimate users querying the server at the same time.
DNS fast flux
Cybercriminals exploit the DNS resolution mechanism to prevent search services and businesses from denylisting (fka blacklisting) malicious IP addresses. They simply, and continuously, change the host IP address of their malicious content. This malicious content may…
- Include malware or fraudulent services.
- Impersonate legitimate services, such as banks and social media.
- Manage botnets for DDoS and DNS amplification attacks.
Once the original hosting server is set up, an additional set of botnet servers or compromised host servers is used as a proxy to handle Web traffic to the original Web server. The proxy servers rapidly rotate IP addresses associated with the original Web host server domain. The proxy IP address obscures communication between the end-user and the original server that hosts the malicious content.
To avoid detection, this process is lighting fast: it occurs within milliseconds.
DNS security: Mitigating DNS risks
These issues can be commonly resolved by following industry-proven cybersecurity best practices:
- Using a dedicated DNS security firewall.
- Configuring DNS resolvers to mitigate impact escalation to a wide network.
- Regularly updating, monitoring and auditing DNS server systems.
Defending against DDoS attacks
Defense against DDoS attacks, however, is a different story. DDoS attack prevention requires sophisticated measures:
- Proactively segmenting the network and managing bandwidth can reduce impact exposure in the event of a DDoS attack.
- The Content Delivery Network (CDN) can be configured to distribute and redirect traffic depending on the bandwidth limitations.
Additionally, reactive measures in response to a DDoS attack can include the use of advanced AI-enabled Intrusion Detection and Prevention systems (IPS/IDS) and load balancers that handle traffic surges in real-time.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.