​How cybercriminals are exploiting DNS vulnerabilities for disruption and profit

Author: Bruce Bennie, ANZ Country Manager , Infoblox

Ever since the internet was first created, criminals have been looking for ways to exploit it for their own ends. Spam emails, viruses, and denial of service attacks have all been used to both cause disruption and generate illicit profits.

While significant progress has been made on protecting users from such activities, there is one area which is still very much a focus for enterprising cybercriminals: the Domain Name System (DNS).

Indeed, while other forms of attack have been declining in recent years, DNS-related activities have continued to grow. Industry research has found DNS is now the second most common vector for internet exploits, behind HTTP.

Directory assistance for the internet

Just as the traditional directory assistance service helped people locate the correct phone numbers for friends, family and colleagues, so DNS servers fulfil a similar role for web traffic. DNS servers provide the correct IP address for people who only know an internet site’s name. For example, it translates a request for ‘www.google.com’ into the correct IP address for that site.

Because of the size of the internet, it’s not possible for this function to be performed by a single computer. Instead, DNS requests are handled by a hierarchy of hundreds of thousands of specialised computers spread around the world. If one machine does not know the requested IP address it asks others until the information is found.

While some DNS servers are operated by internet service providers and are usually very secure, many others are operated by businesses as part of their web operations. Often, these servers tend to be less carefully maintained and thus much easier to exploit.

One of the most enticing factors about DNS that makes it attractive to cybercriminals is that they don’t need to worry about the security infrastructure protecting the target site. All they need is access to a DNS server that is pointing traffic in that site’s direction. Once this is achieved, traffic that was destined for the legitimate site can be redirected to the criminal’s computers.

High-profile attacks

Read more: ​The Internet; our first ‘cyber Orwellian State’

DNS attacks have resulted in a range of high-profile disruptions and outages for major internet sites around the world. For example, the New York Times fell victim to hackers who redirected traffic from the paper’s own site to that of a group called the Syrian Electronic Army. The attack was achieved by gaining access to DNS servers in Australia used by the news organisation.

Even Google has fallen victim to this kind of exploit. Visitors to one of its home pages in the Middle East were, through manipulation of DNS, directed to pages displaying a range of irreverent messages.

Many banks around the world have also found themselves the target of such activities. Sometimes the attacks have been timed to coincide with efforts to transfer money out of accounts. While specific banks are unwilling to discuss particular details, it’s clear they are taking their DNS security very seriously.

Types of DNS attacks

Read more: HTTP, HTTPS attacks surge as Indonesia steals China's online-attacks crown: Akamai

Security experts have found there are dozens of different types of DNS attacks being used by cybercriminals, and new ones are being added all the time. Two of the most prevalent are cache poisoning and DNS amplification and redirection.

Cache poisoning is the equivalent of getting a telephone directory assistance operator to give out phone numbers that you have selected in place of the proper numbers. It is one of the most popular exploit types and new variants are being detected all the time.

These exploits take advantage of the fact that the match between DNS entries and IP addresses are temporary and so people are constantly being provided with new connections, even when they are using a single website.

The attack allows a fake IP address to be issued which redirects users to a fake site. This site can be as simple or complex as the criminal wants. Some are built to look exactly like a bank’s home page while others simply display a protest message or image.

DNS amplification and redirection

Denial of Service (DoS) attacks, where websites are flooded with fake traffic and thus rendered inoperable, can be achieved using DNS techniques.

In a normal DNS request, users tell the DNS server the name of the web server they want to contact and the IP address they want the information sent to. In a DNS amplification exploit, slight changes are made to each of these requests.

The attack works when all the requested information is sent to a target website, which is then taken offline due to the high volume of resulting traffic. If multiple fake requests have information directed to a single site, it can be rendered completely inoperable.

Preparation is key

Because of the popularity of DNS attacks and their ability to cause significant disruption, IT managers must play close attention to their DNS infrastructure. All DNS servers used by an organisation must be regularly checked to ensure their security settings are up to date and any known vulnerabilities have been patched.

DNS attacks will continue to evolve but, by taking a regular and thorough approach to security, organisations can ensure the impact they might have on operations will be kept to a minimum.


Join the CSO newsletter!

Error: Please check your email address.

Tags new york timesDenial of Service (DoS)DNS vulnerabilitiesHTTPDomain Name System (DNS)cybercriminalsCSO Australia

More about CacheGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Bennie

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts