Five DNS attack vectors to wrap your head around

It’s an unfortunate fact of life for any IT director that one of the most crucial components of an organisation’s network is also one of its weakest.

It’s no exaggeration that, without a functioning Domain Name System (DNS) network, devices stop working. Organisations will lose their Internet connection and, with that, cease to do business online. This can result in lost revenue, customers and damage to brand reputation.

Its inherent importance coupled with the weak underlying security of the DNS protocol hasn’t escaped cybercriminals’ attention. The frequency of DNS-based attacks is on the rise.

DNS targeting attacks, such as Distributed Denial of Service (DDoS), are evolving to now affect both internal and external DNS servers. Methods vary from more simple floods, amplification/ reflection, and NXDOMAIN, to more sophisticated attacks using chain reactions, botnets, and misbehaving domains.

Traditional security methods are often ineffective against these new threats, which makes it a dangerous time to neglect DNS security.

To help businesses get a grasp on what they’re up against, here’s an overview of five common types of DNS attacks:

DNS tunnelling

Using DNS as a clandestine communication channel, DNS tunnelling attacks can bypass a firewall. Other protocols such as SSH, TCP or HTTP may also be tunnelled through. DNS tunnelling attacks can facilitate stealthy data exfiltration and can also be used as a full remote control channel for a compromised internal host.

TCP SYN floods

Using a three-way handshake, TCP SYN floods begins a TCP connection. The attacker then sends spoofed SYN packets using the source IP address of made-up destinations. The server sends SYN-ACKs to these made-up destinations, but the connections are never completed as the server never receives acknowledgement back from these fake destinations.

As the half-opened connections exhaust memory on the server, the server then stops responding to the new connection requests coming from actual users.

Cache poisoning

This attack corrupts DNS cache data. The attacker first queries a recursive name server for the IP address of a malicious site. Without the IP address, the recursive server queries a malicious DNS resolver. This then provides the requested rogue IP address and maps the rogue IP address to other legitimate sites (e.g. www.myenergy.com)

After that, the recursive name server caches the rogue IP address as the ‘www.myenergy.com’ address, and then replies to the user with the cached rogue IP address. Thinking it is www.myenergy.com, the client then connects to the site controlled by the attacker. This allows the attack to capture information such as login credentials, passwords, or credit card numbers.

There have been multiple forms of this type of attack over the history of DNS and the vulnerability still exists today without the adoption of DNSSEC.

Distributed reflection DDoS

Combining both reflection and amplification, this attack vector uses third-party open resolvers in the Internet as inadvertent accomplices. The attack then creates fake queries, which are designed to bring about a very large response, and sends them to open recursive servers. This has the effect of a DDoS attack on the victim’s server.

Domain lock-up

Domains and resolvers are erected by attackers to establish TCP-based connections with DNS resolvers. When the DNS resolver then requests a response, these domains send random or “junk” packets keeping them engaged. This effectively locks up the DNS server resources, exhausting it so that it then blocks legitimate requests.

DNS attacks tend not to be mitigated through traditional defences. For example, traditional firewalls leave port 53 open, as it is reserved for DNS queries. The problem then arises as the firewall can’t protect against DDoS attacks on DNS, such as the amplification and reflection attacks explained above.

Some traditional solutions also need very high compute performance to accurately detect DNS-based attacks, which makes deep inspection impractical. With the high cost and the massive number of distribution points needed for this type of solution, this isn’t a realistic option.

To provide further information about advanced DNS protection methods and how to combat them, Infoblox recently hosted a webinar looking at five further types of DNS-based attacks, and providing practical strategies for companies to protect their DNS. To watch the webinar, please register here.

Chris Marrison, consulting solutions architect, Infoblox