main

Attack Types & VectorsSecurity

Free DNS Resolver Services and Data Mining

August 22, 2018 — by Lior Rozen1

dns_resolver_services_data_mining-960x640.jpg

Why would companies offer free DNS recursive servers? DNS data is extremely valuable for threat intelligence. If a company runs a recursive DNS for consumers, it can collect data on new domains that “pop up”. It can analyze trends, build baselines on domain resolution and enrich its threat intelligence overall (machine learning and big data are often used here). Companies can also sell this data to advertisers to measure site ratings and build user profiles.

The DNS resolver market for consumers is ruled by ISPs, as well as some other known servers by Google (8.8.8.8) and Level3 (CenturyLink). Since Cisco bought OpenDNS in August 2015, it has also become a major player, offering DNS services for individuals and organizations with its cloud security platform, Umbrella. Cisco OpenDNS focuses on malware prevention, as well as parental control for consumers. Akamai is also involved in the market, offering both recursive DNS for enterprises (a rather new service, based on a 2015 acquisition of Xerocole), and authorizes DNS services for their CDN clients. In several publications, Akamai claims to see more than 30% of internet data and is using this data as an add-on feed to its KONA service.

[You might also like: DNS and DNS Attacks]

In the Fall of 2017, IBM announced its new quad 9 (9.9.9.9) DNS service. This security-focused DNS uses IBM’s threat intelligence to prevent revolving known malicious domains (and protect against Malware) with approximately 70 servers worldwide. It claims to offer decent speed, and IBM has promised not to store any personal information (PII). On April 1, 2018, Cloudflare came out with a new quad 1 resolver – 1.1.1.1– that focuses on speed. With more than 1,000 servers, it promises to be the fastest resolver to any location. Additionally, Cloudflare promises never to sell the resolving user data, and to delete the resolver logs every 24 hours. Several independent measurements have confirmed Cloudflare’s success on speed which is typically the fastest after the ISP resolver. The one issue with a large number of servers is diffusion time as quad 1 takes significantly more time than other DNS providers to update about changing DNS records.

Another DNS initiative is DoH – DNS over HTTPS. This is a new standard proposal which is reviewed as the encrypted version of DNS (like HTTPS to HTTP). The focus here is both on privacy and security as DNS requests are done over HTTPS to prevent any interception of the request. If a user is using a different DNS, the ISP can still track the clear-text DNS requests, log them, or override them to use its own DNS resolver. The DoH protocol prevents this. Two major cloud DNS recursive servers support this protocol – the recent quad 1 by Cloudflare and Google’s DNS, as well as some other smaller ones. Mozilla recently ran a PoC with native Firefox support for DoH which was described here by Ars Technica.

[You might also like: DNS Reflective Attacks]

As we’ve shown, the DNS continues to evolve, both as a spec and as a service. Companies continue to invest a lot of money in collecting DNS data as they see the value in it. While each company provides a slightly different service, most are looking to mine the data for their own purposes. In order to do that, companies will be happy to provide the DNS service for free and compete in this saturated market.

Read “Radware’s 2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Security

Personal Security Hygiene

June 27, 2018 — by Lior Rozen0

password-hygiene-960x640.jpg

If you are reading this post, chances are you are aware of internet hacks – you have heard of the company that got all its data stolen, or the CEO whose social media account was compromised. If you work at an enterprise, it’s likely that your enterprise bought and deployed some security products to protect its employees and its intellectual property. However, there are multiple ways to trick such security measures, whether you are at work or when you are browsing from the safety of your own home. In this post I collected four simple rules that can help you stay protected. In the continuous battle between security and usability, following these four rules gives away very little comfort, yet significantly increases the chance you will not be hacked. These rules are good practices and they are enough for most people, chances are they will save you from being hacked. You will not always know if they helped you, but if you make them a habit, they will do you good.

Security

HTTP Attacks

November 15, 2017 — by Lior Rozen0

http-attack-960x600.jpg

HTTP traffic is dominating the internet. In fact, when people are asked about the internet, they are sometimes sure the internet is their browser that connects them to everything online.  Data centers also experience a high volume of HTTP traffic and many enterprises are seeing more and more of their revenues coming from online sales.  However, as the popularity grows, the risks grow with it, and just like any protocol, HTTP is vulnerable to attacks. Attackers use Denial-of-Service (DoS) attack techniques in order to create denial-of-service on web servers. Such attacks are used to make a point, make some profit or simply for fun. In this blog post I will describe the common DDoS attacks that are launched against HTTP servers.

Security

HTTPS Interception – How To Use It Without Concern

April 11, 2017 — by Lior Rozen0

https-interception-960x720.jpg

Network privacy is making its way more and more into the news these days. As much as we are eager to share and get responses to our personal moments on social media, we are even more eager to protect our private data. The privacy concern has become even stronger ever since we discovered as part of the Snowden revelations that the U.S. government (as well as others) is actually inspecting all internet communication.

Attack Types & VectorsSecurity

DNS Reflective Attacks

December 7, 2016 — by Lior Rozen0

dns-reflective-attacks-960x672.jpg

A DNS reflective attack is used in many distributed denial-of-service (DDoS) attacks to knock down an internet pipe. The attack is a two-step attack; the attacker sends a large amount of requests to one or more legitimate DNS servers while using spoofed source IP of the target victim. The DNS server receiving the semi-legitimate requests replies to the spoofed IP, thereby unknowingly launching an attack on the target victim with responses to requests that the victim never sent.

The internet is full of DNS servers offered as open-resolvers which will serve any request sent to them, some reports name millions as the amount. This huge number makes it very hard to pre-identify the attack using IP reputation. Furthermore, the servers are actually legitimate servers that usually send legitimate traffic, making any IP reputation service confused about whether or not their nature is malicious.

Attack Types & VectorsDDoSSecurity

Layer 7 Attack Mitigation

November 8, 2016 — by Lior Rozen1

layer-7-attack-mitigation-960x720.jpg

The DDoS world hits new records lately, with the attacks on KrebsOnSecurity.com and later on OVH and Dyn reached a bandwidth of more than 1T of traffic. While the bandwidth numbers are impressive indeed, the numbers themselves were expected. The DDoS security experts expect the previous record (about 450G bps) will be broken soon. This 1 Terabyte throughput record will probably be broken again by the end of this year, or early in the next one. The amazing part of the latest attack was the fact that this was not the reflective attack the DDoS world got used to, which leverages large internet servers amplifying the attacker requests. This time, the attack consisted of many semi-legit HTTP get requests. Such layer 7 attacks, which are aimed at the internet pipe as well as the application server behind it, are much harder to block than a layer 3 and layer 4 attack. Such attacks are also much harder to conduct.

Attack Types & VectorsSecurity

DNS and DNS attacks

September 7, 2016 — by Lior Rozen0

dns-attacks-2-1-960x603.png

DNS is one of the most used protocols on the Internet, and you have probably heard a lot about DNS attacks on the Internet. In this series, I will explain more about the DNS attack types, and the reasons behind using them.

The DNS Protocol

Domain Name Server, or DNS for short, is a protocol that is mainly focused on translating the so-called human format name of a site (the domain name), into the Internet address (IP address), and is often referred to as the Internet phonebook. For example, when you want to go to www.radware.com using a browser, your browser will automatically perform a DNS request to its DNS server to translate www.radware.com into its IP address – 12.34.45.67. The browser will then use this IP address to get the content from www.radware.com. Each enterprise or ISP has its own DNS server that serves its users. The DNS server is automatically configured into any connected device so it can perform DNS queries, usually using DHCP. Public DNS servers are also available, such as Google’s famous 8.8.8.8 DNS server or openDNS (recently acquired by Cisco), which also provide many services on top of the simple DNS response.