Three types of DNS attacks and how to deal with them

DNS servers work by translating IP addresses into domain names. This is why you can enter into the browser to visit our sister site, instead of trying to remember

When DNS is compromised, several things can happen. However, compromised DNS servers are often used by attackers one of two ways. The first thing an attacker can do is redirect all incoming traffic to a server of their choosing. This enables them to launch additional attacks, or collect traffic logs that contain sensitive information.

The second thing an attacker can do is capture all in-bound email. More importantly, this second option also allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation. Making things worse, attackers could also opt for a third option, which is doing both of those things.

"In the first scenario this can be used to attack visitors and capture login credentials and account information. The common solution of mandating SSL works until the attacker takes advantage of [the second option] to register a new certificate in your name. Once they have a valid SSL cert and control of your DNS (one and the same, basically) - they have effectively become you without needing access to any of your servers," Rapid7's Chief Research Officer, HD Moore, told CSO in an email.

In a blog post, Cory von Wallenstein, the CTO of Dyn Inc., a firm that specializes in traffic management and DNS, explained the three common types of DNS attacks and how to address them.

The first type of DNS attack is called a cache poisoning attack. This can happen after an attacker is successful in injecting malicious DNS data into the recursive DNS servers that are operated by many ISPs. These types of DNS servers are the closest to users from a network topology perspective, von Wallenstein wrote, so the damage is localized to specific users connecting to those servers.

"There are effective workarounds to make this impractical in the wild, and good standards like DNSSEC that provide additional protection from this type of attack," he added.

If DNSSEC is impractical or impossible, another workaround is to restrict recursion on the name servers that need to be protected. Recursion identifies whether a server will only hand out information it has stored in cache, or if it is willing to go out on the Internet and talk to other servers to find the best answer.

"Many cache poisoning attacks leverage the recursive feature in order to poison the system. So by limiting recursion to only your internal systems, you limit your exposure. While this setting will not resolve all possible cache poisoning attack vectors, it will help you mitigate a good portion of them," Chris Brenton, Dyn Inc.'s Director of Security, told CSO in an email.

The second type of DNS attack happens when attackers take over one or more authoritative DNS servers for a domain. In his post, von Wallenstein noted that authoritative DNS hosting is the type of service that his firm provides to Twitter. However, Dyn Inc. wasn't targeted by the SEA, so their services to Twitter were not impacted by Tuesday's incident.

If an attacker were to compromise an authoritative DNS, von Wallenstein explains, the effect would be global. While that wasn't what the SEA did during their most recent attack, it's been done before.

In 2009, Twitter suffered a separate attack by the Iranian Cyber Army. The group altered DNS records and redirected traffic to propaganda hosted on servers they controlled. The ability to alter DNS settings came after the Iranian Cyber Army compromised a Twitter staffer's email account, and then used that account to authorize DNS changes. During that incident Dyn Inc. was the registrar contacted in order to process the change request.

Defense against these types of attacks often include strong passwords, and IP-based ACLs (acceptable client lists). Further, a solid training program that deals with social engineering will also be effective.

"I think the first step is recognizing the importance of authoritative DNS in our Internet connectivity trust model," Brenton said.

All the time and resources in the world can be placed into securing a webserver, but if an attacker can attack the authoritative server and point the DNS records at a different IP address, "to the rest of the world its still going to look like you've been owned," Brenton added.

"In fact it's worse because that one attack will also permit them to redirect your email or any other service you are offering. So hosting your authoritative server with a trusted authority is the simplest way to resolve this problem."

The third type of DNS attack is also the most problematic to undo. It happens when an attacker compromised the registration of the domain itself, and then uses that access to alter the DNS servers assigned to it.

This is also what the SEA did when they went after Twitter and the New York Times. They gained access to MelbourneIT, the registrar responsible for the domains targeted, and changed the authoritative DNS servers to their own.

"At this time, those authoritative nameservers answered all queries for the affected domains. What makes this attack so dangerous is what's called the TTL (time to live). Changes of this nature are globally cached on recursive DNS servers for typically 86,400 seconds, or a full day. Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed," von Wallenstein wrote.

Again, Brenton's advice for authoritative DNS will apply here as well. It's also possible to host authoritative servers within the organization, allowing for complete control.

"If you are going to run your own authoritative servers, make sure you follow the best security practices that have been identified by SANS and the Center for Internet Security," Brenton advised.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsDNS attackRapid7Twitter DNS hacksoftwareNew York Times DNS hackdata protectionCenter for Internet SecurityDyn york times

More about CSOInc.Rapid7Recursion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place