Endpoint // Authentication
3/27/2014
07:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attacks Rise On Network 'Blind' Spot

Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server.

The most high-profile attacks on Domain Name Service (DNS) servers are distributed denial-of-service (DDoS) attacks, but there are even more nefarious attacks on these systems underway today as cyber criminals and APT actors abuse commonly vulnerable DNS servers.

"DNS has been around forever. But there's an overwhelming lack of expertise" in it, says Patrick Foxhoven, vice president and CTO of emerging technologies at Zscaler. "It's been thought of as a dumb, foundational-level protocol. I believe it's a blind area of many networks that's often never looked at from a security point of view."

Foxhoven, who will deliver a presentation next week at Interop 2014 in Las Vegas on this very topic, says DDoS attacks may be the most well known abuses of DNS servers, but malware owners and authors are increasingly using it to build out their command-and-control infrastructures. "More modern threats continue to come up with unique ways... to tunnel out of networks or exfiltrate data," says Foxhoven, who will detail these threats in his "Forget Sticks and Stones: DNS Threats Prove Names Can Hurt You" presentation on Wednesday.

DNS reflection attacks are where attackers use bots to send domain name requests to DNS servers such that the servers end up flooding a targeted domain with responses, which can slow or crash both DNS servers and the targeted domain.

(Image: Cyber Inz)
(Image: Cyber Inz)

One of the largest DDoS attacks on record -- 300 Gbit/s of traffic -- was against volunteer spam-filtering organization Spamhaus in March of 2013.  The attackers abused improperly configured or default-state DNS servers, known as open DNS resolvers. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.

Ironically, the DNSSEC protocol that digitally signs domains can make DNS reflection attacks worse, Foxhoven says. "DNSSEC adds more data, so a reflection attack can be worse." That's because DNSSEC's digital signing of DNS domains and authenticating responses in queries to the DNS amplifies the replies if the DNS is spoofed, he says.

DNS hijacking also has become a popular method for hacktivists such as the Syrian Electronic Army, which last year exploited DNS security weaknesses to redirect visitors to websites of The New York Times and Twitter, to their own website with messages supporting Bashar Assad's government.

Botnet operators use fast-flux in their networks of zombies, which is basically load-balancing with a twist. It's a round-robin method where infected bot machines serve as proxies or hosts for malicious websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"It can cripple the infrastructure and do a denial-of-service on the organization, too," Foxhoven says. "So if a company is infected with a botnet and the first sign is that their DNS servers are falling over, they are overwhelmed with load from fast-fluxing."

Foxhoven says cyber espionage actors are the newest adopters of fast-flux. "We're seeing DNS as the most common way these advanced-threat actors are phoning home... That was not the case two years ago."

There are some best-practices that organizations can employ to help protect their DNS infrastructures. "Configure servers so that they only allow recursion from your enterprise or users, not from the [external] Internet," says Foxhoven. And get visibility and analysis into what's going on in the DNS, he adds, using behavioral analysis products like those of FireEye's or Palo Alto Networks' or cloud-based offerings such as that of Zscaler's.

Still missing from the equation, however, is security for the "last mile," Foxhoven says. "There's a misunderstanding of what DNSSEC is meant to do. The last mile is still vulnerable: so if you have a laptop in an uncontrolled network, at Starbucks or a home network, you don't have strong security for making sure that laptop is getting the [domain name resolution] results... coming from the server it should be coming from and not been tampered with along the way."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FilipeCifali
50%
50%
FilipeCifali,
User Rank: Apprentice
3/28/2014 | 5:13:01 PM
Re: not only DNS
This considering that NTP monlist is a old and it's already patched.

NTP can be easly blocked inside the network.

UDP may not be blocked in efficient ways if is needed.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/28/2014 | 9:54:02 AM
Is there a larger concern?
Reading between the lines of this article there appears to be a larger concern which is not directly called out.  Because we continue to focus on the traditional threat-based control approaches, such as encryption to protect against eavesdropping or certificates for authentication, are we inadvertently creating "blind" spots that increase opportunities for these attacks?

This is not to say that all existing security countermeasures are failing us but that perhaps we might have a better chance of surviving this modern threat landscape by re-evaluating the use of traditional threat-based approaches and focus on reducing our attack surfaces by following a more risk-based approach.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/28/2014 | 8:36:00 AM
Re: not only DNS
The uptick in NTP and SNMP-based DDoS attacks is interesting. These are also protocols that are forgotten or overlooked by the security team.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/28/2014 | 8:24:22 AM
not only DNS
The number of DDoS attacks is increasing causing even more serious problems.

Not only DNS amplification attacks are threatening the security communities, recently cyber criminals abused also of NTP and SNMP protocols.

Looking the Bandwidth amplification factor we can note that a DNS DDOS has a factor ranging from 28 to 54, meanwhile NTP has a traffic amplification factor of 550.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.