Unless you were glued to the internet a few weeks ago, you may have missed the massive outage that hit the east coast on Oct. 21
Many popular websites such as Twitter, Reddit, Netflix, Etsy, and Spotify were inaccessible to thousands of users.
Experts have since declared that the outage was the result of a huge attack on DNS services at Dyn, an internet infrastructure company.
Concerns about DNS attacks have sat on the backburner for many businesses and IT companies alike – but that may be changing.
Companies such as Google, The New York Times, and several banks have fallen victim to a variety of DNS attacks in recent years.
With similar attacks sure to come, what types should you watch out for?
DNS poisoning can ultimately route users to the wrong website. For example, a user may enter “msn.com” into a web browser, but a page chosen by the attacker loads instead.
Since users are typing in the correct domain name, they may not realize that the website they are visiting is fake.
This creates a perfect opportunity for attackers to use phishing techniques to mine information - be it log in credentials or credit card information – from unsuspecting victims.
The attack can be devastating, depending on several factors, including the intention of the attacker and the scope of DNS poisoning.
How do attackers do this? By exploiting the DNS caching system.
DNS caching is used throughout the Web to accelerate load times and reduce strain on DNS servers. In a nutshell, once a system queries a DNS server and receives a response, it saves the information in a local cache for faster reference.
This approach is used across the web in a trickle-down fashion. The records at one DNS server are used to cache records at another DNS server. That server is used to cache DNS records on networking systems such as routers. Those records are used to create caches on local machines.
DNS poisoning occurs when one of these caches is compromised.
For example, if the cache on a network router is compromised, then anyone using it can be misdirected to a fraudulent website. The false DNS records then trickle-down to the DNS caches on each user’s machine.
This can also occur higher in the chain.
For example, a major DNS server can be compromised. This can poison the caches of DNS servers maintained by internet service providers. The poison can trickle-down to their customers’ networking systems and devices, potentially routing millions of people to websites chosen by an attacker.
Sound crazy? It’s not. In 2010, internet users across the U.S. were blocked from sites like Facebook and YouTube because a DNS server at a high-level ISP accidentally fetched records from the Great Firewall of China.
DNS cache poisoning is very difficult to detect. It can last until the TTL, or time to live, expires on the cached data or an administrator realizes and resolves the problem.
Depending on the duration of the TTL, it could take days for the servers to resolve the issue on their own.
The best methods to prevent a DNS cache poisoning attack include regular program updating, setting short TTL times, and regularly clearing the DNS caches of local machines and networking systems.
DNS amplification attacks are not threats against the DNS systems. Instead, they exploit the open nature of DNS services to strengthen the force of distributed denial of service (DDoS) attacks.
DDoS attacks typically occur with a botnet. The attacker uses a network of malware-infected computers to send large amounts of traffic to a target, such as a server. The goal is to overload the target and slow or crash it.
Amplification attacks add more punch. Rather than sending traffic directly from a botnet to a victim, the botnet sends requests to other systems. Those systems respond by sending even greater volumes of traffic to the victim.
DNS amplification attacks are a perfect example. Attackers use a botnet to send thousands of lookup requests to open DNS servers. The requests have a spoofed source address and are configured to maximize the amount of data returned by each DNS server.
The result: an attacker sends relatively small amounts of traffic from a botnet and generates proportionally greater – or “amplified” – volumes of traffic from DNS servers. The amplified traffic is directed to a victim, causing the system to falter.
UTM firewalls can be configured to recognize and stop DDoS attacks as they occur by dropping artificial packets trying to flood systems on the network.
Another way to combat DDoS attacks is to host your client’s architecture on multiple servers. That way, if one server becomes overloaded, another server will still be available.
If the attack is small, the IP addresses sending the traffic can be blocked. Additionally, an increase in the server’s bandwidth can enable it to absorb an attack.
Many dedicated, paid solutions also exist that are designed exclusively to combat DDoS attacks.
DDoS attacks can be used against many different types of systems. This includes DNS servers.
A successful DDoS attack against a DNS server can cause it to crash, rendering the users who rely on the sever unable to browse the web (note: users will still likely be able to reach websites they’ve visited recently, assuming the DNS record is saved in a local cache).
This is what happened to Dyn’s DNS services, as described in the opening of this post. A DDoS attack overwhelmed the company’s systems, causing them to crash, which prevented thousands of people from accessing major websites.
How to defend against these attacks depends on the role of your systems in the environment.
For example, are you hosting a DNS server? In that case, there are steps you can take to protect it, such as keeping it patched and allowing only local machines to access it.
Perhaps you are trying to reach the DNS server being attacked? In this case, you will likely have trouble connecting.
This is why it’s a good idea to configure your systems to rely on more than one DNS server. That way, if the primary server goes down, you have another as a fall back.
We recommend Google’s free Public DNS servers: 188.8.131.52 and 184.108.40.206. Instructions are also available for IPv6 addresses.
DNS server attacks are a major network security risk and should be taken seriously. Businesses and IT companies both need to implement safeguards to prevent and reduce the effects of such an attack should they ever fall victim to one.
As a result of such attacks, ICANN has started emphasizing these risks with DNSSEC, a rising technology used for preventing DNS server attacks.
DNSSEC currently works by “signing” each DNS request with a certified signature to ensure authenticity. This helps servers weed out fake requests.
The only drawback to this technology is the fact that it has to be implemented at all stages of the DNS protocol to work properly – which is slowly but surely coming along.
Keeping an eye on developing technology such as DNSSEC as well as staying up to date on the latest DNS attacks is a good way to stay ahead of the curve.