Endpoint // Authentication
3/27/2014
07:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attacks Rise On Network 'Blind' Spot

Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server.

The most high-profile attacks on Domain Name Service (DNS) servers are distributed denial-of-service (DDoS) attacks, but there are even more nefarious attacks on these systems underway today as cyber criminals and APT actors abuse commonly vulnerable DNS servers.

"DNS has been around forever. But there's an overwhelming lack of expertise" in it, says Patrick Foxhoven, vice president and CTO of emerging technologies at Zscaler. "It's been thought of as a dumb, foundational-level protocol. I believe it's a blind area of many networks that's often never looked at from a security point of view."

Foxhoven, who will deliver a presentation next week at Interop 2014 in Las Vegas on this very topic, says DDoS attacks may be the most well known abuses of DNS servers, but malware owners and authors are increasingly using it to build out their command-and-control infrastructures. "More modern threats continue to come up with unique ways... to tunnel out of networks or exfiltrate data," says Foxhoven, who will detail these threats in his "Forget Sticks and Stones: DNS Threats Prove Names Can Hurt You" presentation on Wednesday.

DNS reflection attacks are where attackers use bots to send domain name requests to DNS servers such that the servers end up flooding a targeted domain with responses, which can slow or crash both DNS servers and the targeted domain.

(Image: Cyber Inz)
(Image: Cyber Inz)

One of the largest DDoS attacks on record -- 300 Gbit/s of traffic -- was against volunteer spam-filtering organization Spamhaus in March of 2013.  The attackers abused improperly configured or default-state DNS servers, known as open DNS resolvers. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.

Ironically, the DNSSEC protocol that digitally signs domains can make DNS reflection attacks worse, Foxhoven says. "DNSSEC adds more data, so a reflection attack can be worse." That's because DNSSEC's digital signing of DNS domains and authenticating responses in queries to the DNS amplifies the replies if the DNS is spoofed, he says.

DNS hijacking also has become a popular method for hacktivists such as the Syrian Electronic Army, which last year exploited DNS security weaknesses to redirect visitors to websites of The New York Times and Twitter, to their own website with messages supporting Bashar Assad's government.

Botnet operators use fast-flux in their networks of zombies, which is basically load-balancing with a twist. It's a round-robin method where infected bot machines serve as proxies or hosts for malicious websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"It can cripple the infrastructure and do a denial-of-service on the organization, too," Foxhoven says. "So if a company is infected with a botnet and the first sign is that their DNS servers are falling over, they are overwhelmed with load from fast-fluxing."

Foxhoven says cyber espionage actors are the newest adopters of fast-flux. "We're seeing DNS as the most common way these advanced-threat actors are phoning home... That was not the case two years ago."

There are some best-practices that organizations can employ to help protect their DNS infrastructures. "Configure servers so that they only allow recursion from your enterprise or users, not from the [external] Internet," says Foxhoven. And get visibility and analysis into what's going on in the DNS, he adds, using behavioral analysis products like those of FireEye's or Palo Alto Networks' or cloud-based offerings such as that of Zscaler's.

Still missing from the equation, however, is security for the "last mile," Foxhoven says. "There's a misunderstanding of what DNSSEC is meant to do. The last mile is still vulnerable: so if you have a laptop in an uncontrolled network, at Starbucks or a home network, you don't have strong security for making sure that laptop is getting the [domain name resolution] results... coming from the server it should be coming from and not been tampered with along the way."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FilipeCifali
50%
50%
FilipeCifali,
User Rank: Apprentice
3/28/2014 | 5:13:01 PM
Re: not only DNS
This considering that NTP monlist is a old and it's already patched.

NTP can be easly blocked inside the network.

UDP may not be blocked in efficient ways if is needed.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/28/2014 | 9:54:02 AM
Is there a larger concern?
Reading between the lines of this article there appears to be a larger concern which is not directly called out.  Because we continue to focus on the traditional threat-based control approaches, such as encryption to protect against eavesdropping or certificates for authentication, are we inadvertently creating "blind" spots that increase opportunities for these attacks?

This is not to say that all existing security countermeasures are failing us but that perhaps we might have a better chance of surviving this modern threat landscape by re-evaluating the use of traditional threat-based approaches and focus on reducing our attack surfaces by following a more risk-based approach.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/28/2014 | 8:36:00 AM
Re: not only DNS
The uptick in NTP and SNMP-based DDoS attacks is interesting. These are also protocols that are forgotten or overlooked by the security team.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/28/2014 | 8:24:22 AM
not only DNS
The number of DDoS attacks is increasing causing even more serious problems.

Not only DNS amplification attacks are threatening the security communities, recently cyber criminals abused also of NTP and SNMP protocols.

Looking the Bandwidth amplification factor we can note that a DNS DDOS has a factor ranging from 28 to 54, meanwhile NTP has a traffic amplification factor of 550.

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.