Attacks Rise On Network Blind Spot

  /     /     /  
Publicated : 22/11/2024   Category : security


Attacks Rise On Network Blind Spot


Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server.



The most high-profile attacks on Domain Name Service (DNS) servers are distributed denial-of-service (DDoS) attacks, but there are even more nefarious attacks on these systems underway today as cyber criminals and APT actors abuse commonly vulnerable DNS servers.
DNS has been around forever. But theres an overwhelming lack of expertise in it, says Patrick Foxhoven, vice president and CTO of emerging technologies at Zscaler. Its been thought of as a dumb, foundational-level protocol. I believe its a blind area of many networks thats often never looked at from a security point of view.
Foxhoven, who will deliver a presentation next week at Interop 2014 in Las Vegas on this very topic, says DDoS attacks may be the most well known abuses of DNS servers, but malware owners and authors are increasingly using it to build out their command-and-control infrastructures. More modern threats continue to come up with unique ways... to tunnel out of networks or exfiltrate data, says Foxhoven, who will detail these threats in his
Forget Sticks and Stones: DNS Threats Prove Names Can Hurt You
presentation on Wednesday.
DNS reflection attacks are where attackers use bots to send domain name requests to DNS servers such that the servers end up flooding a targeted domain with responses, which can slow or crash both DNS servers and the targeted domain.
One of the largest DDoS attacks on record -- 300 Gbit/s of traffic -- was against volunteer spam-filtering organization Spamhaus in March of 2013.  The attackers abused improperly configured or default-state DNS servers, known as open DNS resolvers. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.
Ironically, the DNSSEC protocol that digitally signs domains can make DNS reflection attacks worse, Foxhoven says. DNSSEC adds more data, so a reflection attack can be worse. Thats because DNSSECs digital signing of DNS domains and authenticating responses in queries to the DNS amplifies the replies if the DNS is spoofed, he says.
DNS hijacking also has become a popular method for hacktivists such as the Syrian Electronic Army, which last year exploited DNS security weaknesses to redirect visitors to websites of The New York Times and Twitter, to their own website with messages supporting Bashar Assads government.
Botnet operators use fast-flux in their networks of zombies, which is basically load-balancing with a twist. Its a round-robin method where infected bot machines serve as proxies or hosts for malicious websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.
It can cripple the infrastructure and do a denial-of-service on the organization, too, Foxhoven says. So if a company is infected with a botnet and the first sign is that their DNS servers are falling over, they are overwhelmed with load from fast-fluxing.
Foxhoven says cyber espionage actors are the newest adopters of fast-flux. Were seeing DNS as the most common way these advanced-threat actors are phoning home... That was not the case two years ago.
There are some best-practices that organizations can employ to help protect their DNS infrastructures. Configure servers so that they only allow recursion from your enterprise or users, not from the [external] Internet, says Foxhoven. And get visibility and analysis into whats going on in the DNS, he adds, using behavioral analysis products like those of FireEyes or Palo Alto Networks or cloud-based offerings such as that of Zscalers.
Still missing from the equation, however, is security for the last mile, Foxhoven says. Theres a misunderstanding of what DNSSEC is meant to do. The last mile is still vulnerable: so if you have a laptop in an uncontrolled network, at Starbucks or a home network, you dont have strong security for making sure that laptop is getting the [domain name resolution] results... coming from the server it should be coming from and not been tampered with along the way.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attacks Rise On Network Blind Spot