Ignoring DNS Security Carries Serious Consequences for Business

Featured article  by David Williamson, CEO, Efficient IP

At the end of last year, executives around the globe sat around boardrooms finalizing budgets and prioritizing IT investments. Without a doubt cybersecurity was at the top of every business’ agenda. But, as we move into 2017, the risk is only growing and organizations need to ask themselves: do they really know where the danger lies and furthermore, are they doing the right thing to protect themselves from cyberattacks?

Only a few weeks ago, Lloyds Bank reportedly suffered an explosive attack to its network, causing several interruptions to its online service. Customers were unable to check account balances, make payments or even use its mobile app. The root cause is being reported as a large-scale breach of DNS security in the form of a distributed denial of service attack (DDoS) – one of the most common hacker tricks of the trade to take control of a network.

In fact, a recent report issued by Deloitte, stated that the number of DDoS attacks are expected to reach 10 million in 2017, and attacks of this nature will enter the terabit era in size, becoming larger in scale, harder to mitigate and much more frequent.

Why? Because hackers want to not just deny service, they want to deny security. Hackers can have many different possible objectives. For instance, they may aim to interrupt business, corrupt data, steal information – or even all of these at the same time. To reach their goals, they continuously look for any vulnerability – and will use any vulnerability – to attack. They’re getting increasingly smart and always looking for more, faster and easier ways to strike.

An initial service denial attack is often used as a camouflage to mask further – and potentially more sinister – activities. These include data theft, network infiltration, data exfiltration, networks being mapped for vulnerabilities, and a whole host of other potential risks.

These types of attacks are often referred to as ‘Dark DDoS’ because of initial smokescreen attack which acts to distract organizations from the real breach that’s taking place. In a large proportion of recent data breaches, DDoS have been occurring simultaneously – as a component of a wider strategy – meaning hackers are utilizing this technique in a significant way.

According to a report by SurfWatch Labs, DDoS attacks rose 162% in 2016. SurfWatch Labs claims this is due to the increasing use of IoT devices, and the attacks on the KrebsOnSecurity.com site and on domain name provider Dyn are believed to be some of the largest DDoS attacks ever recorded.

Today’s hackers have developed a large variety of DNS attacks that fall into three main categories:

Volumetric DoS attacks: An attempt to overwhelm the DNS server by flooding it with a very high number of requests from one or multiple sources, leading to degradation or unavailability of the service.

Stealth/Slow Drip DoS attacks: Low-volume of specific DNS requests causing capacity exhaustion of outgoing query processing, leading to degradation or unavailability of the service.

Exploits: Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services.

Often DNS threats are geared towards a specific DNS function (cache, recursive & authoritative), with precise damage objectives. This aspect must be integrated in the DNS security strategy to develop an in-depth defense solution, ensuring comprehensive attack protection.

The list below of the most common attacks aims to emphasize the diversity of the threats and details the extent of the attack surfaces:

Volumetric Attacks

– Direct DNS attacks: Flooding of DNS servers with direct requests, causing saturation of cache, recursion or authoritative functions. This attack is usually sent from a spoofed IP address.

– DNS amplification: DNS requests generating an amplified response to overwhelm the victim’s servers with very large traffic.

– DNS reflection: Attacks using numerous distributed open resolver servers on the Internet to flood victim’s authoritative servers (usually combined with amplification attacks).

– NXDOMAIN: Flooding of the DNS servers with non-existing domains requests, implying recursive function saturation.

Stealth/Slow Drip DoS Attacks

– Sloth domain attacks: Attacks using queries sent to hacker’s authoritative domain that very slowly answers requests – just before the time out, to cause victim’s recursive server capacity exhaustion.

– Phantom domain attack: Attacks targeting DNS resolvers by sending them sub-domains for which the domain server is unreachable, causing saturation of cache server capacity.

– Random subdomain attack (RQName): Attacks using random query name, causing saturation of victim’s authoritative domain and recursive server capacity.

Exploits

– Zero-Day vulnerability: Zero-day attacks take advantage of DNS security holes for which no solution is currently available.

– DNS-based exploits: Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating system running DNS services.

– DNS Tunneling: The DNS protocol is used to encapsulate data in order to remotely control malware or/and the exfiltration of data.

– Protocol anomalies: DNS attacks based on malformed queries, intending to crash the service.

– DNS cache poisoning: Attacks introducing data into a DNS resolver’s cache, causing the name server to return an incorrect IP address and diverting traffic to the attacker’s computer.

The DNS security landscape is continuously evolving, and DNS attacks are becoming more and more sophisticated, combining multiple attack vectors at the same time. Today’s DDoS attacks are almost unrecognizable from the simple volumetric attacks that gave the technique its name. In 2017, they have the power to wreak significant damage – as all those affected by the Dyn breach last year will testify – they are far more sophisticated, deceptive and frequent.

To keep ahead of these threats, today’s security solutions must continuously protect against a family of attacks, rather than a limited list of predefined attacks that must be frequently updated or tuned. Without them, businesses will continue to be focused on cleaning up the disaster instead of preventing them.

David Williamson is the CEO of EfficientIP, a leading provider of DDI (DNS, DHCP, IPAM) headquartered in North America, Europe and Asia. EfficientIP is the world’s fastest growing DDI vendor, ensuring availability, performance and security of network services across a spectrum of commercial verticals and government sectors. Previously Williamson held sales leadership positions and helped to accelerate growth through partnerships at SPSS (acquired by IBM) and Mercury (acquired by Hewlett-Packard Enterprise). Williamson is a graduate of the SKEMA Business School in France. He is a world traveler, fierce competitor in triathlons, and an avid sports and music fan.