Detecting DNS Hijacks Via Network Monitoring

Last year saw a slew of different DNS attacks. The most recent incident was the hijacking of Twitter's DNS records to redirect to a Website stating, "This site has been hacked by the Iranian Cyber Army." Though the impact to a company's public image can be large, DNS redirection attacks have the potential to be even more devastating than a tarnished image.As mentioned in Dark Reading's Twitter DNS hijack article, the attack would have had much more serious consequences if the impostor site held a replica of the Twitter site in order to harvest user credentials. And since we all know how often people use the same password on multiple sites, that would spell disaster for many people.

Let's change the attack around and think about if the target was an organization's mail server and the attacker was a competitor looking to steal trade secrets. Forget about stealing user credentials: Now the attackers can start intercepting important mail, spoofing it, and modifying it before it gets to the victim.

Those are all scary scenarios that affect whole organizations and can end up being detected pretty quickly with a diligent and observant IT staff. What gets tricky is when the users end up being the target and DNS settings are only changed on their local computer system. Unless host integrity-checking is in place for endpoint systems, the change will likely go unnoticed until the user realizes something is wrong -- which will probably be too late.

In addition to monitoring host-based changes to DNS settings, detection can also be achieved through network monitoring. The easiest solution is to set up your intrusion detection system or firewall to detect DNS traffic not sourced from your corporate DNS servers. When one of your users' systems starts making DNS requests to DNS servers outside of your network, it's time to take a deep look at what's going on.

If you're using Snort, then there are rules available in the Emerging Threats rule set to help you detect traffic to DNS servers that have not been defined as "authorized" in the Snort configuration file. Take a look. You might be surprised at what you find.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.