Visible to the public SoS Musings #27 - DNS AttacksConflict Detection Enabled

SoS Musings #27
DNS Attacks

The Domain Name System (DNS) is a fundamental element of the Internet as it acts as a phone book that provides a distributed directory, mapping easily remembered hostnames such as to their associated IP addresses. Domain names are translated to their numerical IP addresses, which are used by computers and network devices to locate and communicate with each other. DNS servers are responsible for matching domain names to their associated addresses. When a user types a domain name into their browser, the computer asks a DNS server what IP address matches with the requested domain name. Once the connection is made, the correct web page is retrieved. Requests are most likely being immediately sent to DNS servers provided by an Internet service provider (ISP). However, if a user is behind a router, that router may be used by the computer as a DNS server, which also forwards requests to an ISP's default DNS servers. DNS information containing the domain name and IP address mapping is then stored in a local cache, improving the speed of connection as the DNS request phase can be skipped when that specific domain is requested again. Concerns arise as security was not considered in the design of DNS, allowing hackers to abuse weaknesses and vulnerabilities in the Internet system through a variety of different attacks. In 2018, findings of a survey conducted by EfficientIP, brought further attention to the growth of DNS attacks in regard to frequency and associated costs. According to the survey to which 1,000 IT managers in North America, Asia, and Europe responded, the average costs of DNS attacks increased by 57% from $456,000 in 2017 to $715,000 in 2018. In addition, organizations experienced an average of seven DNS attacks within this time frame. Proofpoint's Domain Fraud Threats Report and IDC's 2019 Global DNS Threat Report also reveal the increased launch and cost of DNS attacks. There has been a 34% increase in DNS attacks experienced by organizations as well as a 49% increase in the average cost of such attacks since 2018. Security professionals must continue to develop and follow best practices for securing DNS against attacks.

Security experts have cited a number of different DNS attacks which need to be further explored and prevented. There are many types of DNS attacks that are often cited as the most executed by hackers in attempt to infiltrate networks, perform phishing, disrupt responses to legitimate DNS requests, and more. These DNS attacks include DNS hijacking, DNS flood attack, distributed reflection denial of service (DRDoS), cache poisoning, DNS tunneling, and more. DNS hijacking refers to attacks in which DNS requests are intercepted and redirected to rogue or compromised DNS servers or domains through the modification of DNS records or the exploitation of vulnerabilities in the domain name registrar's system. Hackers carry out DNS flood attacks, which are a type of distributed denial-of-service attack (DDoS), to disrupt DNS resolution for a targeted domain by flooding that domain's DNS server with requests. Disruption to DNS resolution leads to the inability to respond to legitimate traffic. Another common DNS attack is DNS cache poisoning also known as DNS spoofing, which allows rerouting of traffic from real DNS servers to fake ones. Attackers perform DNS cache poisoning by sending forged DNS responses via a fraudulent DNS server, which are then cached by legitimate DNS servers, changing information in the servers pertaining to what IP address corresponds with a specific domain name. DNS cache poisoning can be used to send unsuspecting users to malicious phishing websites at which malware is spread. If attackers want to use DNS as a covert communication protocol or a way in which data can be exfiltrated from a network, they can perform DNS tunneling by inserting data from other programs inside DNS responses and queries. Through the performance of DNS tunneling, attackers can bypass network security technology such as firewalls to evade detection. Other attacks that have been highlighted by security experts are random subdomain attacks, phantom domain attacks, and NXDOMAIN attacks, and more.

Recent research and incidents of DNS attacks have brought further attention to the rising frequency, complexity, and severity of DNS attacks. Sea Turtle is a hacker group that was discovered to be targeting government organizations primarily located in the Middle East or North Africa, including intelligence agencies, ministries of foreign affairs, and more, in an espionage campaign to gain access to sensitive networks via the performance of DNS hijacking. The Sea Turtle DNS hijacking campaign hijacked the domains of 40 different organizations in 13 countries. A team of researchers discovered a new DNS cache-poisoning attack that targets the client-side DNS cache. The attack can be launched against Android, Ubuntu Linux, MacOS, and Windows to poison the DNS cache of these operating systems with malicious DNS mappings, allowing different users of a machine to visit the same domain that leads to an attacker-controlled web server. Gmail, Netflix, and Paypal users recently fell victim to DNS hijacking attacks. The users of these highly-popular online services were redirected to fake websites designed to trick them into providing their credentials to these sites as a result of the modification of DNS settings in compromised consumer routers. Fidelis Cybersecurity highlighted the use of the DNS protocol by malware authors as a cover communications channel in which data is transferred. According to the Fidelis, traffic analyzers often overlook the use of the DNS protocol as a means of communication between a victim's machine and a bad actor's command and control (C&C) server to go undetected. DNS can be used as a means of covertly transferring data in a number of different ways, calling for traffic analyzers to examine DNS traffic for anomalies in order to detect such malicious operations. Such attacks are expected to grow more sophisticated.

Efforts to increase the level of security for DNS must continue to be made by organizations. The Engineers in the Internet Engineering Task Force (IETF), an international standards organization, developed DNS Security Extensions (DNSSEC) to add a layer of security to the DNS protocol by cryptographically verifying the source of DNS response data and ensuring the integrity of this data. The Internet Corporation for Assigned Names and Numbers (ICANN) encourages the full deployment of DNSSEC across all domains to prevent DNS attacks such as DNS hijacking, DNS cache poisoning, and more. Security experts have also highlighted additional best practices that should also be used in conjunction with DNSSEC. In order for an organization to bolster their DNS security, they must ensure the privacy of their resolver, which is the DNS server responsible for receiving DNS queries and tracking the IP addresses for domain names, by restricting the use of the resolver to users on their network. This practice would prevent cache poisoning by external users. Organizations should make use of DNS software capabilities that would enable the addition of variability to outgoing requests such as randomizing query IDs, using a random source port, and more, in order to make it harder for fake DNS responses to get accepted. DNS servers must also be kept up-to-date against known vulnerabilities through the installation of patches. There are many other steps that could be taken by organizations to prevent DNS attacks, including using isolated DNS servers, using DDoS mitigation providers, implementing two-factor authentication, and more. As DNS attacks grow more complex and frequent, security professionals must keep exploring new ways of strengthening DNS security and encouraging the use of best DNS security practices by organizations.