main

Attack Types & VectorsSecurity

Free DNS Resolver Services and Data Mining

August 22, 2018 — by Lior Rozen1

dns_resolver_services_data_mining-960x640.jpg

Why would companies offer free DNS recursive servers? DNS data is extremely valuable for threat intelligence. If a company runs a recursive DNS for consumers, it can collect data on new domains that “pop up”. It can analyze trends, build baselines on domain resolution and enrich its threat intelligence overall (machine learning and big data are often used here). Companies can also sell this data to advertisers to measure site ratings and build user profiles.

The DNS resolver market for consumers is ruled by ISPs, as well as some other known servers by Google (8.8.8.8) and Level3 (CenturyLink). Since Cisco bought OpenDNS in August 2015, it has also become a major player, offering DNS services for individuals and organizations with its cloud security platform, Umbrella. Cisco OpenDNS focuses on malware prevention, as well as parental control for consumers. Akamai is also involved in the market, offering both recursive DNS for enterprises (a rather new service, based on a 2015 acquisition of Xerocole), and authorizes DNS services for their CDN clients. In several publications, Akamai claims to see more than 30% of internet data and is using this data as an add-on feed to its KONA service.

[You might also like: DNS and DNS Attacks]

In the Fall of 2017, IBM announced its new quad 9 (9.9.9.9) DNS service. This security-focused DNS uses IBM’s threat intelligence to prevent revolving known malicious domains (and protect against Malware) with approximately 70 servers worldwide. It claims to offer decent speed, and IBM has promised not to store any personal information (PII). On April 1, 2018, Cloudflare came out with a new quad 1 resolver – 1.1.1.1– that focuses on speed. With more than 1,000 servers, it promises to be the fastest resolver to any location. Additionally, Cloudflare promises never to sell the resolving user data, and to delete the resolver logs every 24 hours. Several independent measurements have confirmed Cloudflare’s success on speed which is typically the fastest after the ISP resolver. The one issue with a large number of servers is diffusion time as quad 1 takes significantly more time than other DNS providers to update about changing DNS records.

Another DNS initiative is DoH – DNS over HTTPS. This is a new standard proposal which is reviewed as the encrypted version of DNS (like HTTPS to HTTP). The focus here is both on privacy and security as DNS requests are done over HTTPS to prevent any interception of the request. If a user is using a different DNS, the ISP can still track the clear-text DNS requests, log them, or override them to use its own DNS resolver. The DoH protocol prevents this. Two major cloud DNS recursive servers support this protocol – the recent quad 1 by Cloudflare and Google’s DNS, as well as some other smaller ones. Mozilla recently ran a PoC with native Firefox support for DoH which was described here by Ars Technica.

[You might also like: DNS Reflective Attacks]

As we’ve shown, the DNS continues to evolve, both as a spec and as a service. Companies continue to invest a lot of money in collecting DNS data as they see the value in it. While each company provides a slightly different service, most are looking to mine the data for their own purposes. In order to do that, companies will be happy to provide the DNS service for free and compete in this saturated market.

Read “Radware’s 2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Attack Types & VectorsSecurity

DNS Reflective Attacks

December 7, 2016 — by Lior Rozen0

dns-reflective-attacks-960x672.jpg

A DNS reflective attack is used in many distributed denial-of-service (DDoS) attacks to knock down an internet pipe. The attack is a two-step attack; the attacker sends a large amount of requests to one or more legitimate DNS servers while using spoofed source IP of the target victim. The DNS server receiving the semi-legitimate requests replies to the spoofed IP, thereby unknowingly launching an attack on the target victim with responses to requests that the victim never sent.

The internet is full of DNS servers offered as open-resolvers which will serve any request sent to them, some reports name millions as the amount. This huge number makes it very hard to pre-identify the attack using IP reputation. Furthermore, the servers are actually legitimate servers that usually send legitimate traffic, making any IP reputation service confused about whether or not their nature is malicious.

DDoSSecurity

How Friday’s Massive DDoS Attack on the U.S. Happened

October 23, 2016 — by Daniel Smith6

darknet-101-960x640.png

On the morning of October 21st Dyn began to suffer from a denial of service attack (DoS attack) that interrupted their Managed DNS network. As a result, hundreds of thousands of websites became unreachable to most of the world including Amazon’s EC2 instances. This problem intensified later in the day when the attackers launched a second round of attacks against Dyn’s DNS system. Dyn’s mitigation of the attack can be viewed on RIPE’s website where a video illustrates the BGP switches.

Attack Types & VectorsSecurity

DNS and DNS attacks

September 7, 2016 — by Lior Rozen0

dns-attacks-2-1-960x603.png

DNS is one of the most used protocols on the Internet, and you have probably heard a lot about DNS attacks on the Internet. In this series, I will explain more about the DNS attack types, and the reasons behind using them.

The DNS Protocol

Domain Name Server, or DNS for short, is a protocol that is mainly focused on translating the so-called human format name of a site (the domain name), into the Internet address (IP address), and is often referred to as the Internet phonebook. For example, when you want to go to www.radware.com using a browser, your browser will automatically perform a DNS request to its DNS server to translate www.radware.com into its IP address – 12.34.45.67. The browser will then use this IP address to get the content from www.radware.com. Each enterprise or ISP has its own DNS server that serves its users. The DNS server is automatically configured into any connected device so it can perform DNS queries, usually using DHCP. Public DNS servers are also available, such as Google’s famous 8.8.8.8 DNS server or openDNS (recently acquired by Cisco), which also provide many services on top of the simple DNS response.