Pictured: Cherif Sleiman, General Manager, Middle East at Infoblox
The Domain Name System, or DNS, is a foundational Internet technology that is used in every non-trivial IP-based transaction and which, if it’s not working properly, can bring the web to a standstill. Since its invention over 30 years ago, DNS has been continually evolving to become the core component of the Internet today. Unfortunately, this has made it one of the most attractive targets for hackers and malware criminals.
In its 2014 Annual Security Report, Cisco found that every single corporate network examined by its threat intelligence experts exhibited evidence of having been compromised or misused1. All of the networks had DNS lookups which related to websites that hosted malware, another 96 per cent showed traffic to hijacked servers, and a further 92 per cent showed traffic to sites that had no content whatsoever, a typical sign of malware hosting.
In a separate report on IT infrastructure security, it was revealed that over a third of companies surveyed had experienced a Distributed Denial of Service (DDoS) attack on their DNS servers in 2013 – up from a quarter in the previous year2. Despite this however, more than a quarter of businesses reported that no formal responsibility was taken for DNS security within the company.
This lack of attention could lead to DNS being perceived by cybercriminals as something of a soft target, arguably one of the key reasons for these types of attacks becoming more prevalent. It’s clear from these two reports alone that too many businesses still wrongly believe that their company’s DNS is secure, whereas the hard truth is that organizations need to be paying much more attention to DNS security.
The growth in threats to DNS infrastructure
Because DNS infrastructure provides core Internet services, when a DNS server goes down, so too do the Internet domains that it serves, creating the potential for large-scale disruption. Cyber criminals are becoming increasingly aware of the attack opportunities made possible by DNS vulnerabilities, and are wasting little time in developing forms of malware that leverage DNS as a channel to communicate with bot masters and carry out malicious activity.
While malware threats continue to grow in volume and sophistication, the burgeoning BYOD culture is providing easier access into the enterprise via the various smartphones and tablets used by company employees. Having made its way inside the firewall, malware from these devices can go undetected by legacy security approaches as it busily exploits DNS as a pathway to connect to a malicious destination or botnet controller. A new generation of botnets and Advanced Persistent Threats (APTs) is increasingly exploiting DNS to recruit and control webs of infected endpoints, conceal criminal activity, or launch sophisticated network attacks.
Types of DNS attacks
When taken together, all of the factors above combine to create a perfect storm which makes DNS attacks an extremely attractive medium for cyber criminals. These attacks can be grouped into two main categories, the first of which is made up of those offensives focused on disrupting DNS services:
Cache poisoning: In this attack, the perpetrator will send spoofed DNS responses to a DNS resolver, which will then be stored in the DNS cache for the lifetime (Time to Live, or TTL) set. A user whose computer has referenced the poisoned DNS server would then be tricked into accepting content coming from a non-authentic server and would unknowingly download malicious content.
DNS protocol attacks: Here the perpetrator will send malformed DNS queries or responses to the target DNS server and allow protocol implementation bugs in the server’s software to be exploited. Examples of such attacks include malformed packets, code insertion, buffer overflows, memory corruption, NULL pointer de-reference or the exploitation of specific vulnerabilities, and attacks such as these can result in a denial of service, cache poisoning, or compromise of the target server.
DNS redirection (MITM) attacks: DNS queries tend to be carried over the User Datagram Protocol (UDP). This is a stateless protocol which can often be susceptible to man-in-the-middle (MITM) attacks, examples of which include DNS changer, DNS replay, or illegitimate redirection attacks. Attacks such as these are primarily carried out to fulfill motives such as hacktivism, phishing, website defacement or data stealing.
DNS fast fluxing: Fast fluxing refers to the rapid changing, swapping in and out of IP addresses with extremely high frequency through changing DNS records with short-lived TTLs. Domain fluxing refers to the constant changing and allocation of multiple fully-qualified-domain-names (FQDNs) to a single IP address of the command & control (C&C) server. Commonly referred to as Domain Generation Algorithm (DGA) bots, there has been a recent rise in the type of bots that use dynamic algorithms to generate FQDNs every day, as the bot agent attempts to locate the C&C infrastructure.
DoS and DDoS attacks: The size, velocity and complexity of DoS and DDoS attacks has grown significantly over the past couple of years with recent DDoS attacks peaking at between 300Gbps and 400 Gbps.
There is also a form of attack, which includes botnets, that use DNS as a vector for business exploitation. Other examples of this type of attack include:
DNS tunnelling: The name of this attack refers to the use of DNS as a covert channel to bypass traditional defense mechanisms. Outbound and inbound data being communicated will be encoded into small chunks and fitted into DNS queries and DNS responses respectively. DNS is a very reliable yet relatively stealthy communication channel, and it’s this reliability and stealth that makes DNS tunnelling such an attractive method to operators of malware. Where other communications fail, the malware that lands on a victim host can contact its operator (aka C&C) and pass stolen data undetected, or fetch commands to be performed on the compromised host.
Domain phishing: This attack is an attempt to phish a legitimate domain, such as the domain of a financial institution or a travel agency for example, to that of one controlled by hackers and illegitimately acquire sensitive information such as usernames, passwords, PINs or credit card details. Once this sensitive information has been gathered, the real attack can then be performed.
Advanced Persistent Threats (APTs): APTs refer to a form of attack which gains unauthorized network access, remaining undetected for long periods. As their name suggests, APTs are advanced malware, and persistent in their nature, which are funded and entirely motivated to accomplish the specific goal for which they have been designed. Examples of APTs include Conifer A/B/C, Torpig, Kraken or TDSS/TLD4 malware – all of which leverage DNS to stealthily communicate with a remote C&C server in order to gather additional malware packages and instructions, and carry out their attacks.
It’s clear then that, with such a wide variety of possible DNS attack vectors – those above being only a sample – no single technology alone can be effective in defending against them all. The comprehensive protection of an organization’s DNS infrastructure and services requires Middle East companies to have a multi-faceted security strategy that employs a layered defense using some or all of the following solutions:
DNS firewalls: Inline devices that provide real-time threat intelligence, anomaly detection and protection against malicious domains.
DNSSEC: DNS Security Extensions digitally sign the DNS records to ensure that no poisoning of these records can happen from what appear to be trusted sources.
DOS/DDOS protection systems: These can detect advanced DDoS attacks and take steps necessary to protect against them.
Data Leakage Prevention (DLP) monitoring systems: These will detect if any data leakage is taking place using DNS, among other protocols.
Dedicated APT-aware analytics systems: By employing machine learning along with other behavioural techniques, these systems detect APT malware that use DNS to communicate with C&C servers.
DNS is rapidly becoming a highly attractive means of evading existing defense mechanisms and exploiting any one of the aforementioned attack vectors for those attackers and malware authors whose primary motive is cyber war, industrial espionage, hacktivism, political gain or protest, theft of data, distribution of spam, or to cause maximum disruption by carrying out a coordinated DDoS attack.
About the author
Mr. Sleiman has more than 20 years of sales, technical and business experience with some of the world’s leading networking and telecommunications technology companies. He has held key executive roles, including chief operating officer and chief technology officer at Core Communications, a software and IT services company focused on cloud-based business services and web and mobile apps. He spent more than six years at Cisco in various leadership positions, the last being senior director, leading the enterprise business for Middle East and Africa. He also developed the strategic vision and technology roadmap, and managed all aspects of research and development, for Nortel Networks in his role as CTO, Enterprise Business Unit.