How to stop these 8 cyber-attacks that target the Internet’s weakest link
Domain Name Systems (DNS) are the traffic cops of the Internet – translating the easy-to-remember web addresses that people type into their browsers to the machine-friendly public IP addresses that actually mark locations on the Internet. But the exorbitant amount of traffic they direct also makes them one of the Internet’s weakest links, with open connections to arbitrary servers that can be easily exploited by hackers.
Attacks that cause failures in DNS can be crippling to an organization – leaving a business invisible and unreachable online. Nearly all Internet-based tasks vital to modern-day business operations are dependent on DNS, from web browsing and email to file transfers and social media posts.
And DNS isn’t only a target, it’s a vector – with clever criminals using its infrastructure to enable a wealth of malicious activity: stealing data, passing malware into DNS queries, and communicating with command and control servers. In modern networks, the DNS routes access to nearly every application.
In 2016, one of the most massive Distributed Denial of Service (DDoS) attacks ever temporarily knocked out websites for such business titans as Amazon, Twitter, Netflix, and Spotify by targeting Dyn, a leading DNS host.
The havoc DNS attacks can wreak on a business is alarming – in 2018, the average cost of DNS attacks reached $654,000 in the U.S., an 82 percent jump over the previous year, according to a report by DARKReading. Organizations faced an average of seven DNS attacks in the past 12 months, and one in five suffered business losses as a result, the report said. A third were the victims of data theft.
The increasing sophistication of today’s DNS attacks makes them even more disruptive, as criminals transform the exploding number of unsecured Internet of Things (IoT) devices in use into massive botnets, or networks of compromised computers that receive commands from attackers. These botnets significantly increase the speed, volume, and damage caused by DNS attacks.
A recent study from Neustar found that 43 percent of companies lost at least $250,000 an hour during DDoS DNS attacks – with more than half taking at least three hours to discover the attack and 40 percent taking another three hours to respond.
Let’s take a look at the top DNS attacks that threaten the business sector:
- DNS Flood/Water Torture. In a typical DNS DDoS attack, hundreds, thousands, or even millions of compromised Internet devices blast a DNS server or group of servers at once with enormous volumes of data, rendering it incapable of providing DNS services to clients or resolvers. The DNS Flood ranks among the most common of these attacks. It overwhelms a targeted DNS server with a large number of requests primarily comprised of malformed or bogus packet information, preventing legitimate requests from coming through.
- Cache Poisoning/DNS Spoofing. Like an everyday computer, a DNS server has a cache in its memory that enables it to more quickly load frequently-accessed data. That means when you look up your favorite search engine, it doesn’t have to spend resources translating something it already knows. Cache poisoning is when a hacker tunnels into the cache and misdirects a domain name to an incorrect IP address with a sinister agenda. For instance, that website might look exactly like your bank’s and steal your identity when you enter your real password into the fake site.
- DNS Hijacking. Also known as silent server swaps, this attack method forcibly redirects online traffic toward fake websites or displays alternate content that can be used for phishing attacks. While it has a similar outcome to Cache Poisoning, it’s typically achieved by malware that overrides a computer’s TCP/IP configuration or by modifying the behavior of a trusted DNS server, so it doesn’t comply with Internet standards. Hacker group OurMine launched one of the most infamous examples of this type of attack in 2017 when it redirected visitors to WikiLeaks to another destination.
- NXDOMAIN Flood. DNS servers send out NXDOMAIN response messages when they believe a domain they are asked to resolve into an IP address doesn’t exist. In an NXDOMAIN Flood, an attacker floods a DNS server with queries for fictional domain names. The server wastes computing resources trying to resolve domains that don’t exist, while NXDOMAIN results accumulate in the server’s cache and push out valid entries. Eventually, the server slows to a crawl and is unable to accept any new requests, legitimate or not.
- Data Exfiltration via DNS. In a world where BYOD and public Wi-Fi are widespread, access to DNS by unknown devices is commonplace and can easily lead to a data breach. Requests used for DNS exfiltration often go unnoticed when hackers hide them in plain sight amidst large amounts of normal traffic and space them out over time. There are two main ways data can be extracted from your network using DNS. In both, the attacker employs software that encodes your data and transmits it to remote servers.
- In the first scenario, hackers embed blocks of encoded data within recursive requests made to their own DNS servers. This is a slow way of extracting data, but it quickly pays off when it captures valuable details like passwords.
- The second option is DNS tunneling, which gives hackers a command and control channel for their tools. Tunneling encodes the data of other programs or protocols in DNS queries and responses, and often includes data payloads that can be added to an attacked DNS server and used to control remote servers and applications. Tunneling is a much faster way of extracting data – one attack can deliver as many as 18,000 credit card numbers a minute.
- DNS Reflection. In this attack, a cybercriminal sends out DNS requests to one or more DNS servers. They aren’t the main targets of the attack but are used as conduits to target another DNS server. This clever approach makes these attacks extremely difficult to prevent because responses are legitimate data from valid servers. Here’s where it gets even sneakier: the “from” or return IP address in the requests is spoofed, and the DNS servers send their responses to this spoofed address. Since the spoofed recipient was not expecting these DNS responses, it uses resources trying to make sense of them. Once these responses number in the thousands, they can easily overwhelm the targeted DNS server.
- DNS Reflection Amplification. In this extreme reflection attack, the spoofed queries are generally of the type “ANY,” which amplifies the attack by returning all known information about a DNS zone in a single request. Since the size of the response is significantly larger than the request, the hacker can quickly overwhelm the targeted server. Botnets are often used in this attack to create immense amounts of traffic with little effort.
- DNS Infiltration. DNS can also be used to move malicious code into a network. Hackers prepare a binary, encode it, and then use the DNS to slip it past firewalls and content filters into a company’s network. Once this malicious code is in place, it’s simple for hackers to send and receive data via DNS – effectively transforming it into a covert transport protocol.
The frequency of DNS attacks is exploding, pushing DNS protection to the top of cybersecurity concerns. But traditional monitoring techniques risk blocking legitimate traffic and slowing applications, and the decentralized, deliberately open design of DNS services makes it impossible to recognize every server in use.
Fortunately, CyberGuard360’s new CyberGlass product has a solution to these challenges: Secure DNS. It safeguards your organization by encrypting DNS traffic so that it’s opaque to hackers, effectively preventing them from seeing where it’s going and tagging along. It also serves as an umbrella that protects your business from inbound traffic that might be coming from a hacked DNS.
DNS attacks have the potential to cause crippling damage to your business by knocking out critical online infrastructure. By making DNS security an integral part of the WAN protections of its new CyberGlass product, CyberGuard360 allows your business venture onto the Internet with confidence.