DNS is one of the most used protocols on the Internet, and you have probably heard a lot about DNS attacks on the Internet. In this series, I will explain more about the DNS attack types, and the reasons behind using them.
The DNS Protocol
Domain Name Server, or DNS for short, is a protocol that is mainly focused on translating the so-called human format name of a site (the domain name), into the Internet address (IP address), and is often referred to as the Internet phonebook. For example, when you want to go to www.radware.com using a browser, your browser will automatically perform a DNS request to its DNS server to translate www.radware.com into its IP address – 220.127.116.11. The browser will then use this IP address to get the content from www.radware.com. Each enterprise or ISP has its own DNS server that serves its users. The DNS server is automatically configured into any connected device so it can perform DNS queries, usually using DHCP. Public DNS servers are also available, such as Google’s famous 18.104.22.168 DNS server or openDNS (recently acquired by Cisco), which also provide many services on top of the simple DNS response.
DNS is one of the Internet’s foundations and was originally published in 1983 in RCFs 882 and 883, which were later replaced by RFC 1034 and 1035 in 1987. The DNS protocol seems like a simple protocol, but in fact the DNS’s infrastructure and variants can get complicated. Over the years, some newer extensions were added to the DNS protocol such as DNS over TCP and DNSSEC, which enhanced its capabilities and security while making it more complex. Many companies built their name and reputation on DNS, the most famous being Verisign, which owns some top-level DNS servers. DNS keeps attracting new startups that use DNS for network viability and security such as ThousandEyes and infoblox.
DNS attacks –
The wide usage of DNS on the Internet also led to a wide usage of DNS as an attack vector. DNS attacks are very common; once in a while a new vector is found and gains popularity over another vector, yet the DNS-related attacks always have a place of honor in the hall of fame.
The DNS attacks can be divided into several groups:
- Reflection attacks: This type of attack is used to attack a 3rd party victim, even if he does not run a DNS server. This attack vector is one of the most common vectors in the DDoS world. Its popularity came from the fact that it is completely spoofed (it’s very hard to identify the attacker), and it can amplify the attack bandwidth in a way that allows a few original packets to cause saturation of a large Internet pipe. These attacks will be the subject of my next article in this DNS series.
- Server attacks: These attacks are aimed at specific DNS servers and can have several objectives, the most common of which is to cause denial-of-service. Another common objective is to obtain all the data stored in a DNS server, in order to study the organization’s network infrastructure. Such study is later used to find effective attack vectors. Yet another attack objective is to get control over the server and server’s data using protocol vulnerabilities and anomalies. While both authoritative and recursive DNS servers are victims to such attacks, different attacks are used with each of them, leveraging the different mode of operation of each to maximize the attack impact. ISPs, hosting providers and any other company that hosts a public DNS server often suffer from such attacks.
- Spoofing results: These attacks aim to change a DNS valid response into a malicious response. While the attack is launched on the DNS server itself, the attack is actually focused on the DNS server’s users. The goal is to trick the user to go to a malicious site instead of a known legitimate site. The technique is mostly used as part of a phishing attack on personal-data or financial-related site. Once the DNS server is tricked into responding with the wrong data, it is very hard to detect the attack. This is because the person using the site is doing everything right, and on first look everything seems legitimate, while a man-in-the-middle attack is actually taking place in the background.
- DNS tunnels: This technique is not an attack per-se, rather it is a way to use DNS’s infrastructure and protocol to pass data under the radar. The technique is using the DNS protocol as a tunnel, while actually sending the data inside the DNS requests and responses. This technique is used to bypass corporate firewalls, Wi-Fi monetization mechanisms, Data-Loss-Prevention systems and any other technology used to inspect or limit data over the wire. Malwares often use this technique to pass data and communicate with the outside world, in order to avoid the organization’s security infrastructure.
All of the above attacks are widely used and can have a lot of impact, and combining all of them together explains the popularity of DNS attacks on the Internet today. The DNS-based attacks are a constant threat, and any security professional should get familiar with them, as well as pose a plan of how to fight them in case his infrastructure is being attacked.
Read “Creating a Safe Environment for Under-Protected APIs” to learn more.
Lior Rozen is the Director of Technologies for Radware. With over a decade of experience, he is a cyber-security expert, architecting innovative cyber security solutions and deployments tailored for Radware’s customers’ needs. Before taking his current position, Lior was the director of R&D for Radware’s DefensePro, managing all R&D aspects of this DDoS-protection market-leader technology. Lior led the shift to virtualized-ready software architecture, while promoting partnerships with leading security companies. Lior writes about network security and technology.