How cybercriminals are exploiting DNS vulnerabilities for disruption and profit
- 03 February, 2016 08:58
Ever since the internet was first created, criminals have been looking for ways to exploit it for their own ends. Spam emails, viruses, and denial of service attacks have all been used to both cause disruption and generate illicit profits.
While significant progress has been made on protecting users from such activities, there is one area which is still very much a focus for enterprising cybercriminals: the Domain Name System (DNS).
Indeed, while other forms of attack have been declining in recent years, DNS-related activities have continued to grow. Industry research has found DNS is now the second most common vector for internet exploits, behind HTTP.
Directory assistance for the internet
Just as the traditional directory assistance service helped people locate the correct phone numbers for friends, family and colleagues, so DNS servers fulfil a similar role for web traffic. DNS servers provide the correct IP address for people who only know an internet site’s name. For example, it translates a request for ‘www.google.com’ into the correct IP address for that site.
Because of the size of the internet, it’s not possible for this function to be performed by a single computer. Instead, DNS requests are handled by a hierarchy of hundreds of thousands of specialised computers spread around the world. If one machine does not know the requested IP address it asks others until the information is found.
While some DNS servers are operated by internet service providers and are usually very secure, many others are operated by businesses as part of their web operations. Often, these servers tend to be less carefully maintained and thus much easier to exploit.
One of the most enticing factors about DNS that makes it attractive to cybercriminals is that they don’t need to worry about the security infrastructure protecting the target site. All they need is access to a DNS server that is pointing traffic in that site’s direction. Once this is achieved, traffic that was destined for the legitimate site can be redirected to the criminal’s computers.
DNS attacks have resulted in a range of high-profile disruptions and outages for major internet sites around the world. For example, the New York Times fell victim to hackers who redirected traffic from the paper’s own site to that of a group called the Syrian Electronic Army. The attack was achieved by gaining access to DNS servers in Australia used by the news organisation.
Even Google has fallen victim to this kind of exploit. Visitors to one of its home pages in the Middle East were, through manipulation of DNS, directed to pages displaying a range of irreverent messages.
Many banks around the world have also found themselves the target of such activities. Sometimes the attacks have been timed to coincide with efforts to transfer money out of accounts. While specific banks are unwilling to discuss particular details, it’s clear they are taking their DNS security very seriously.
Types of DNS attacks
Security experts have found there are dozens of different types of DNS attacks being used by cybercriminals, and new ones are being added all the time. Two of the most prevalent are cache poisoning and DNS amplification and redirection.
Cache poisoning is the equivalent of getting a telephone directory assistance operator to give out phone numbers that you have selected in place of the proper numbers. It is one of the most popular exploit types and new variants are being detected all the time.
These exploits take advantage of the fact that the match between DNS entries and IP addresses are temporary and so people are constantly being provided with new connections, even when they are using a single website.
The attack allows a fake IP address to be issued which redirects users to a fake site. This site can be as simple or complex as the criminal wants. Some are built to look exactly like a bank’s home page while others simply display a protest message or image.
DNS amplification and redirection
Denial of Service (DoS) attacks, where websites are flooded with fake traffic and thus rendered inoperable, can be achieved using DNS techniques.
In a normal DNS request, users tell the DNS server the name of the web server they want to contact and the IP address they want the information sent to. In a DNS amplification exploit, slight changes are made to each of these requests.
The attack works when all the requested information is sent to a target website, which is then taken offline due to the high volume of resulting traffic. If multiple fake requests have information directed to a single site, it can be rendered completely inoperable.
Preparation is key
Because of the popularity of DNS attacks and their ability to cause significant disruption, IT managers must play close attention to their DNS infrastructure. All DNS servers used by an organisation must be regularly checked to ensure their security settings are up to date and any known vulnerabilities have been patched.
DNS attacks will continue to evolve but, by taking a regular and thorough approach to security, organisations can ensure the impact they might have on operations will be kept to a minimum.