Cherif Sleiman, General Manager, Middle East at Infoblox explains the increasing importance of DNS as an attack vector and how Middle East businesses can keep it secure.
The Domain Name System, or DNS, is a foundational Internet technology that is used in every non-trivial IP-based transaction and which, if it’s not working properly, can bring the web to a standstill. Since its invention over 30 years ago, DNS has been continually evolving to become the core component of the Internet today. Unfortunately, this has made it one of the most attractive targets for hackers and malware criminals.
The Domain Name System, or DNS, is a foundational Internet technology that is used in every non-trivial IP-based transaction and which, if it’s not working properly, can bring the web to a standstill. Since its invention over 30 years ago, DNS has been continually evolving to become the core component of the Internet today. Unfortunately, this has made it one of the most attractive targets for hackers and malware criminals.
In its 2014 Annual Security Report, Cisco found that every single corporate network examined by its threat intelligence experts exhibited evidence of having been compromised or misused. All of the networks had DNS lookups which related to websites that hosted malware, another 96% showed traffic to hijacked servers, and a further 92% showed traffic to sites that had no content whatsoever, a typical sign of malware hosting.
In a separate report on IT infrastructure security, it was revealed that over a third of companies surveyed had experienced a Distributed Denial of Service (DDoS) attack on their DNS servers in 2013 – up from a quarter in the previous year. Despite this however, more than a quarter of businesses reported that no formal responsibility was taken for DNS security within the company.
This lack of attention could lead to DNS being perceived by cyber criminals as something of a soft target, arguably one of the key reasons for these types of attacks becoming more prevalent. It’s clear from these two reports alone that too many businesses still wrongly believe that their company’s DNS is secure, whereas the hard truth is that organisations need to be paying much more attention to DNS security.
The growth in threats to DNS infrastructure
Because DNS infrastructure provides core Internet services, when a DNS server goes down, so too do the Internet domains that it serves, creating the potential for large-scale disruption. Cyber criminals are becoming increasingly aware of the attack opportunities made possible by DNS vulnerabilities, and are wasting little time in developing forms of malware that leverage DNS as a channel to communicate with bot masters and carry out malicious activity.
While malware threats continue to grow in volume and sophistication, the burgeoning BYOD culture is providing easier access into the enterprise via the various smartphones and tablets used by company employees. Having made its way inside the firewall, malware from these devices can go undetected by legacy security approaches as it busily exploits DNS as a pathway to connect to a malicious destination or botnet controller. A new generation of botnets and Advanced Persistent Threats (APTs) is increasingly exploiting DNS to recruit and control webs of infected endpoints, conceal criminal activity, or launch sophisticated network attacks.
Types of DNS attacks
Disruption
When taken together, all of the factors above combine to create a perfect storm which makes DNS attacks an extremely attractive medium for cyber criminals. These attacks can be grouped into two main categories, the first of which is made up of those offensives focused on disrupting DNS services:
Cache poisoning: In this attack, the perpetrator will send spoofed DNS responses to a DNS resolver, which will then be stored in the DNS cache for the lifetime (Time to Live, or TTL) set. A user whose computer has referenced the poisoned DNS server would then be tricked into accepting content coming from a non-authentic server and would unknowingly download malicious content.
DNS protocol attacks: Here the perpetrator will send malformed DNS queries or responses to the target DNS server and allow protocol implementation bugs in the server’s software to be exploited. Examples of such attacks include malformed packets, code insertion, buffer overflows, memory corruption, NULL pointer de-reference or the exploitation of specific vulnerabilities, and attacks such as these can result in a denial of service, cache poisoning, or compromise of the target server.
DNS redirection (MITM) attacks: DNS queries tend to be carried over the User Datagram Protocol (UDP). This is a stateless protocol which can often be susceptible to man-in-the-middle (MITM) attacks, examples of which include DNS changer, DNS replay, or illegitimate redirection attacks. Attacks such as these are primarily carried out to fulfill motives such as hacktivism, phishing, website defacement or data stealing.
DNS fast fluxing: Fast fluxing refers to the rapid changing, swapping in and out of IP addresses with extremely high frequency through changing DNS records with short-lived TTLs. Domain fluxing refers to the constant changing and allocation of multiple fully-qualified-domain-names (FQDNs) to a single IP address of the command & control (C&C) server. Commonly referred to as Domain Generation Algorithm (DGA) bots, there has been a recent rise in the type of bots that use dynamic algorithms to generate FQDNs every day, as the bot agent attempts to locate the C&C infrastructure.
DoS and DDoS attacks: The size, velocity and complexity of DoS and DDoS attacks has grown significantly over the past couple of years with recent DDoS attacks peaking at between 300Gbps and 400 Gbps.
Exploitation
There is also a form of attack, which includes botnets, that use DNS as a vector for business exploitation. Other examples of this type of attack include:
DNS tunnelling: The name of this attack refers to the use of DNS as a covert channel to bypass traditional defence mechanisms. Outbound and inbound data being communicated will be encoded into small chunks and fitted into DNS queries and DNS responses respectively. DNS is a very reliable yet relatively stealthy communication channel, and it’s this reliability and stealth that makes DNS tunnelling such an attractive method to operators of malware. Where other communications fail, the malware that lands on a victim host can contact its operator (aka C&C) and pass stolen data undetected, or fetch commands to be performed on the compromised host.
Domain phishing: This attack is an attempt to phish a legitimate domain, such as the domain of a financial institution or a travel agency for example, to that of one controlled by hackers and illegitimately acquire sensitive information such as usernames, passwords, PINs or credit card details. Once this sensitive information has been gathered, the real attack can then be performed.
Advanced Persistent Threats (APTs): APTs refer to a form of attack which gains unauthorised network access, remaining undetected for long periods. As their name suggests, APTs are advanced malware, and persistent in their nature, which are funded and entirely motivated to accomplish the specific goal for which they have been designed. Examples of APTs include Conifer A/B/C, Torpig, Kraken or TDSS/TLD4 malware – all of which leverage DNS to stealthily communicate with a remote C&C server in order to gather additional malware packages and instructions, and carry out their attacks.
Defence solutions
It’s clear then that, with such a wide variety of possible DNS attack vectors – those above being only a sample – no single technology alone can be effective in defending against them all. The comprehensive protection of an organisation’s DNS infrastructure and services requires Middle East companies to have a multi-faceted security strategy that employs a layered defence using some or all of the following solutions:
DNS firewalls: Inline devices that provide real-time threat intelligence, anomaly detection and protection against malicious domains.
DNSSEC: DNS Security Extensions digitally sign the DNS records to ensure that no poisoning of these records can happen from what appear to be trusted sources.
DOS/DDOS protection systems: These can detect advanced DDoS attacks and take steps necessary to protect against them.
Data Leakage Prevention (DLP) monitoring systems: These will detect if any data leakage is taking place using DNS, among other protocols.
Dedicated APT-aware analytics systems: By employing machine learning along with other behavioural techniques, these systems detect APT malware that use DNS to communicate with C&C servers.
Conclusion
DNS is rapidly becoming a highly attractive means of evading existing defence mechanisms and exploiting any one of the aforementioned attack vectors for those attackers and malware authors whose primary motive is cyber war, industrial espionage, hacktivism, political gain or protest, theft of data, distribution of spam, or to cause maximum disruption by carrying out a coordinated DDoS attack.
There appear to be a compelling number of reasons as to why businesses should make their DNS security a high priority, but it’s clear that DNS servers are still often neglected, leaving organisations open to attacks.
We have seen a meteoric rise in the frequency, volume and sophistication of DNS–based attacks over the last couple of years, which suggests that existing intrusion detection and prevention systems, and next-generation firewalls may no longer be a sufficient means of defence in themselves.
It’s evident therefore that enterprises now need to consider a robust and multi-pronged defence strategy as a means of combatting these modern threats and the malware that reliably use DNS to evade existing defence mechanisms. Hackers will inevitably continue to try to attack a business’s infrastructure, so it’s important to consider how this will be managed once an attack takes place or, better still, how to prevent it happening in the first place.
Organisations in the Middle East need to ensure that their infrastructure is protected, and to encourage effective interaction with third parties such as registrars in order to ensure that they do not become the next victim.
