DNS threats you need to know about

6th June 2017

Gavin Rawson

Gavin Rawson
Technical Lead

You are more likely to be the victim of cyber crime than burglary, but do you keep your DNS as secure as your home?

For those who got stuck at DNS – this is the Domain Name System (DNS). Often likened to the phone book of the internet, the DNS is the technology that allows the typed web address to deliver the recognisable website, as domain names are listed as numbered IP addresses that the average user would fail to recall.

At Nominet we run the DNS for the .UK domain. Every time a user types in a website address that ends in .uk, our servers process the request and pinpoint the required webpage. Large organisations often run their own DNS for operational ease, autonomy and insights into customer behaviour via the visible traffic. Too few realise that the DNS is a honey pot for cyber criminals and could be on the most vulnerable aspects of the network. Not securing the DNS is much the same as leaving doors and windows open. Don’t roll out the red carpet for the thieves.

A survey by Infoblox in 2016 found that two-thirds of DNS traffic logs showed signs of malicious activity. It’s easy to see why criminals are so active in the DNS: most firewalls whitelist DNS, and its ubiquitous nature leads too many system administrators to overlook it. The number of cyber attacks that exploit the DNS are rising and the costs of an attack brutal, so why aren’t more organisations doing all they can to stay safe?

Robust cyber security for the DNS starts with awareness and understanding. If you don’t understand what the criminals are doing, how can you safeguard against them? The jargon around DNS attacks is evolving faster than the technology that underpins it. It’s time to demystify the terms and equip you with the knowledge to boost your cyber security efforts and comprehensively secure the house.

You may have heard of a DNS DDoS, or distributed denial of service attack, from the recent incidents reported in the media. This attack involves deliberately overloading the DNS with a large number of requests from a number of endpoints under their control. Another form of this attack is known as amplification, with the attack targeting the DNS to deliver large responses to small queries and overload the victim’s system.

Reflection is also a nasty variation on this theme; the DDoS attack involves the criminals replacing their source address with that of the victim, so all the requests are sent there. Then there comes a flood attack which involves an attack flooding the server with requests to such an extent that legitimate users can’t access it.

Combine all this together, and you get a UDP DrDOS attack. Attackers use User Datagram Protocol spoofing (see more below) and amplification (see above) to cause maximum havoc.

As the name suggests, an app-based attack picks on one specific application either to overwhelm it or take advantage of its weak spots. Another self-explanatory threat is the brute-force attack, with criminals trying to obtain information by guessing endlessly and querying the DNS for subdomains and IP addresses. They’ll get it right eventually…

Nastily-named cache poisoning is also known as spoofing. In this attack, criminals introduce corrupt data into the DNS so requests are sent to the bad guy’s servers instead. Think of this like all your business calls being redirected to your enemy.

Sadly, phishing has none of the serenity and pleasure of tempting fish out of water, rather it tempts people to reveal sensitive information by posing as a credible source. Have you ever had an email from a bank asking you to confirm passwords or pin numbers? Phishing! This is not to be confused with pharming, in which the attackers redirect traffic intended for one website to another, fake and nasty site.

Phishing attacks can sometimes be hidden behind ever-changing hosts and operate using a botnet – this is called a fast flux attack. And a botnet? That’s a network of computers that have been infected with malicious software and can be used without the owners’ knowledge to launch an attack.

Most clandestine of all is the semantic attack, which seeks valuable information such as financial details and passwords by fiddling with the DNS’ technical defences so the criminals can sneak in unnoticed. This is not to be confused with tunnelling. This is akin to sending cryptic messages across the airwaves. Criminals transfer data across the DNS as a query to try and exfiltrate sensitive information out of the organisation.

A useful tool for the would-be criminals are domain generation algorithms. These generate a large amount of domain names that can be used as rendezvous points and sources of malware attacks, and are often created faster than can be spotted and blocked.

Cyber criminals are becoming increasingly creative and refined in their methods of attacking the DNS, and the damage to a company’s reputation and financial cost can be vast. Understanding what you are facing is important – you can learn more about why the DNS is essential to your cyber security by downloading our white paper. There are also DNS tools and services available to help those who feel they need it to help safeguard their network. Think of it like installing security cameras at the front of your house; it’s a chance to see what the criminals are up to and inform your approach to keep your business safe.