DNS a Victim of its Own Success

  /     /     /  
Publicated : 22/11/2024   Category : security


DNS a Victim of its Own Success


Why securing the Domain Name System remains an afterthought at many organizations.



Its been nearly one year since the massive DDoS attack on Domain Name Service (DNS) provider Dyn that
disrupted major websites
including Amazon, CNN, Netflix, Okta, Pinterest, Reddit, and Twitter, but DNS security remains an enigma for many businesses.
According to a new study conducted by Dimensional Research on behalf of Infoblox, some three out of 10 companies have been hit with cyberattacks on their DNS infrastructure, 93% of whom suffered downtime - 40% of them for an hour or more. But that likely just scratches the surface of the volume of attacks on DNS, experts say, because many DNS attacks are tough to detect.
That number [of attacks] seems a little low, says DNS pioneer Paul Vixie, CEO and founder of DNS security firm FarSight Security, of the new data. Vixie, who is the principal author of the pervasive BIND DNS server software and creator of several DNS standards, notes that its difficult for some organizations to pinpoint an attack came via their DNS.
Downtime costs, too, are likely higher than the Dimensional/Infoblox study data shows. Some 54% of organizations in the study say they lost $50,000+ to a DNS attack, while nearly a quarter lost $100,000+. There are things you can count, but you dont know about every attack that happens or every actual cost because it isnt always quantifiable, so the losses could be more, Vixie notes.
Prakash Nagpal, vice president at network and DNS security firm Infoblox, concedes that there likely are more DNS attacks that just arent discovered. I do think more companies have been hit than that, he says of the data. The most well-known DNS threats are distributed denial-of-service attacks, of course, he says. But DNS is not just about DDoS attacks, Nagpal says.
In a lot of cases they [victims] dont know they were subjected to DNS attacks because they [the attacks] are so subtle … I dont think people make the connection between DNS and malware distribution and data exfiltration, he says.
An infected machine has to call home at some point, he says, and one of the most common types of DNS attacks is where attackers use the DNS to siphon data from the victim organization. The infected machine is forced to make DNS requests to the attackers server, which in turn pulls the stolen data from that machine during those interactions. So if an executives laptop is infected, the attackers can pull sensitive data such as financial reports, for example, via those DNS queries, he says.
While DDoS remains a big source of downtime and a huge source of attack, where DNS is being used in data exfiltration should also be of concern, according to Nagpal.
The
Infoblox study
, which queried more than 1,000 security and IT professionals worldwide, illustrated how reactive DNS security tends to be in organizations: three quarters of organizations who havent experienced a DNS attack say antivirus monitoring is their main focus security-wise, but 70% of those whove been hit by a DNS attack rank DNS security as their number one security priority.
DNS is a victim of its own success. How many times do you think about how your phone call gets routed? Youre not supposed to; the same in the IP space, Nagpal says. There also can be a learning curve for DNS and its security implications, he says.
DNS [security] is still not top of mind, Nagpal says.
The Oct. 21 wave of DDoS attacks on Dyn – courtesy of the historic Mirai botnet of infected Internet of Things devices – used masked TCP and UDP traffic via Port 53 to overwhelm the DNS providers infrastructure as well as recursive DNS retry traffic. It was the DNS traffic sent in the DDoS that was most perplexing when it came to detecting it.
Scott Hilton, executive vice president of product for Dyn, explained in the aftermath that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten to 20 times the normal DNS traffic levels thanks to malicious and legitimate retries.
During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic, he said in 
a blog post
. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies.
More DNS Security Woes
Meanwhile, Google researchers this week disclosed they had found
seven security flaws in DNS software
used in Android, home routers, and IoT devices. The flaws in Dnsmasq since have been fixed, but the chance of most IoT devices getting them is slim since those devices traditionally dont get software updates. Vixie says the bugs have to do with the software, not DNS itself. Its a cute little piece of software, tiny, and not sloppy code. But it had bugs like most other software and these devices run it, he says.
Android devices are less at risk given built-in security features, but millions of IoT devices could be exploited, experts say. Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team, says the RCE flaw (CVE-2017-14491) specifically can be abused via malicious DNS replies, but would be difficult to exploit to build a Mirai-type botnet without the attacker jumping through various hoops. Among those: he or she would have to force the vulnerable device to issue a DNS request that the attacker would reply to, for example. Even so, he says the possibility of widespread attack cannot be entirely ruled out. 
Its another example of just how IoT devices can easily be abused. The cheaper the device, you more you can fear it, Vixie says. I expect more Mirais to emerge, he adds, because locking down IoT devices is a major cost that doesnt jive economically with low-cost consumer devices.
Related Content:
Best and Worst Security Functions to Outsource
2016 DDoS Attack Trends By The Numbers
Debunking 5 Myths About DNS
Domain Abuse Sinks Anchors of Trust
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DNS a Victim of its Own Success