Endpoint // Authentication
3/27/2014
07:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attacks Rise On Network 'Blind' Spot

Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server.

The most high-profile attacks on Domain Name Service (DNS) servers are distributed denial-of-service (DDoS) attacks, but there are even more nefarious attacks on these systems underway today as cyber criminals and APT actors abuse commonly vulnerable DNS servers.

"DNS has been around forever. But there's an overwhelming lack of expertise" in it, says Patrick Foxhoven, vice president and CTO of emerging technologies at Zscaler. "It's been thought of as a dumb, foundational-level protocol. I believe it's a blind area of many networks that's often never looked at from a security point of view."

Foxhoven, who will deliver a presentation next week at Interop 2014 in Las Vegas on this very topic, says DDoS attacks may be the most well known abuses of DNS servers, but malware owners and authors are increasingly using it to build out their command-and-control infrastructures. "More modern threats continue to come up with unique ways... to tunnel out of networks or exfiltrate data," says Foxhoven, who will detail these threats in his "Forget Sticks and Stones: DNS Threats Prove Names Can Hurt You" presentation on Wednesday.

DNS reflection attacks are where attackers use bots to send domain name requests to DNS servers such that the servers end up flooding a targeted domain with responses, which can slow or crash both DNS servers and the targeted domain.

(Image: Cyber Inz)
(Image: Cyber Inz)

One of the largest DDoS attacks on record -- 300 Gbit/s of traffic -- was against volunteer spam-filtering organization Spamhaus in March of 2013.  The attackers abused improperly configured or default-state DNS servers, known as open DNS resolvers. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.

Ironically, the DNSSEC protocol that digitally signs domains can make DNS reflection attacks worse, Foxhoven says. "DNSSEC adds more data, so a reflection attack can be worse." That's because DNSSEC's digital signing of DNS domains and authenticating responses in queries to the DNS amplifies the replies if the DNS is spoofed, he says.

DNS hijacking also has become a popular method for hacktivists such as the Syrian Electronic Army, which last year exploited DNS security weaknesses to redirect visitors to websites of The New York Times and Twitter, to their own website with messages supporting Bashar Assad's government.

Botnet operators use fast-flux in their networks of zombies, which is basically load-balancing with a twist. It's a round-robin method where infected bot machines serve as proxies or hosts for malicious websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"It can cripple the infrastructure and do a denial-of-service on the organization, too," Foxhoven says. "So if a company is infected with a botnet and the first sign is that their DNS servers are falling over, they are overwhelmed with load from fast-fluxing."

Foxhoven says cyber espionage actors are the newest adopters of fast-flux. "We're seeing DNS as the most common way these advanced-threat actors are phoning home... That was not the case two years ago."

There are some best-practices that organizations can employ to help protect their DNS infrastructures. "Configure servers so that they only allow recursion from your enterprise or users, not from the [external] Internet," says Foxhoven. And get visibility and analysis into what's going on in the DNS, he adds, using behavioral analysis products like those of FireEye's or Palo Alto Networks' or cloud-based offerings such as that of Zscaler's.

Still missing from the equation, however, is security for the "last mile," Foxhoven says. "There's a misunderstanding of what DNSSEC is meant to do. The last mile is still vulnerable: so if you have a laptop in an uncontrolled network, at Starbucks or a home network, you don't have strong security for making sure that laptop is getting the [domain name resolution] results... coming from the server it should be coming from and not been tampered with along the way."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FilipeCifali
50%
50%
FilipeCifali,
User Rank: Apprentice
3/28/2014 | 5:13:01 PM
Re: not only DNS
This considering that NTP monlist is a old and it's already patched.

NTP can be easly blocked inside the network.

UDP may not be blocked in efficient ways if is needed.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/28/2014 | 9:54:02 AM
Is there a larger concern?
Reading between the lines of this article there appears to be a larger concern which is not directly called out.  Because we continue to focus on the traditional threat-based control approaches, such as encryption to protect against eavesdropping or certificates for authentication, are we inadvertently creating "blind" spots that increase opportunities for these attacks?

This is not to say that all existing security countermeasures are failing us but that perhaps we might have a better chance of surviving this modern threat landscape by re-evaluating the use of traditional threat-based approaches and focus on reducing our attack surfaces by following a more risk-based approach.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/28/2014 | 8:36:00 AM
Re: not only DNS
The uptick in NTP and SNMP-based DDoS attacks is interesting. These are also protocols that are forgotten or overlooked by the security team.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/28/2014 | 8:24:22 AM
not only DNS
The number of DDoS attacks is increasing causing even more serious problems.

Not only DNS amplification attacks are threatening the security communities, recently cyber criminals abused also of NTP and SNMP protocols.

Looking the Bandwidth amplification factor we can note that a DNS DDOS has a factor ranging from 28 to 54, meanwhile NTP has a traffic amplification factor of 550.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.