Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

3/27/2014
07:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attacks Rise On Network 'Blind' Spot

Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server.

The most high-profile attacks on Domain Name Service (DNS) servers are distributed denial-of-service (DDoS) attacks, but there are even more nefarious attacks on these systems underway today as cyber criminals and APT actors abuse commonly vulnerable DNS servers.

"DNS has been around forever. But there's an overwhelming lack of expertise" in it, says Patrick Foxhoven, vice president and CTO of emerging technologies at Zscaler. "It's been thought of as a dumb, foundational-level protocol. I believe it's a blind area of many networks that's often never looked at from a security point of view."

Foxhoven, who will deliver a presentation next week at Interop 2014 in Las Vegas on this very topic, says DDoS attacks may be the most well known abuses of DNS servers, but malware owners and authors are increasingly using it to build out their command-and-control infrastructures. "More modern threats continue to come up with unique ways... to tunnel out of networks or exfiltrate data," says Foxhoven, who will detail these threats in his "Forget Sticks and Stones: DNS Threats Prove Names Can Hurt You" presentation on Wednesday.

DNS reflection attacks are where attackers use bots to send domain name requests to DNS servers such that the servers end up flooding a targeted domain with responses, which can slow or crash both DNS servers and the targeted domain.

One of the largest DDoS attacks on record -- 300 Gbit/s of traffic -- was against volunteer spam-filtering organization Spamhaus in March of 2013.  The attackers abused improperly configured or default-state DNS servers, known as open DNS resolvers. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.

Ironically, the DNSSEC protocol that digitally signs domains can make DNS reflection attacks worse, Foxhoven says. "DNSSEC adds more data, so a reflection attack can be worse." That's because DNSSEC's digital signing of DNS domains and authenticating responses in queries to the DNS amplifies the replies if the DNS is spoofed, he says.

DNS hijacking also has become a popular method for hacktivists such as the Syrian Electronic Army, which last year exploited DNS security weaknesses to redirect visitors to websites of The New York Times and Twitter, to their own website with messages supporting Bashar Assad's government.

Botnet operators use fast-flux in their networks of zombies, which is basically load-balancing with a twist. It's a round-robin method where infected bot machines serve as proxies or hosts for malicious websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"It can cripple the infrastructure and do a denial-of-service on the organization, too," Foxhoven says. "So if a company is infected with a botnet and the first sign is that their DNS servers are falling over, they are overwhelmed with load from fast-fluxing."

Foxhoven says cyber espionage actors are the newest adopters of fast-flux. "We're seeing DNS as the most common way these advanced-threat actors are phoning home... That was not the case two years ago."

There are some best-practices that organizations can employ to help protect their DNS infrastructures. "Configure servers so that they only allow recursion from your enterprise or users, not from the [external] Internet," says Foxhoven. And get visibility and analysis into what's going on in the DNS, he adds, using behavioral analysis products like those of FireEye's or Palo Alto Networks' or cloud-based offerings such as that of Zscaler's.

Still missing from the equation, however, is security for the "last mile," Foxhoven says. "There's a misunderstanding of what DNSSEC is meant to do. The last mile is still vulnerable: so if you have a laptop in an uncontrolled network, at Starbucks or a home network, you don't have strong security for making sure that laptop is getting the [domain name resolution] results... coming from the server it should be coming from and not been tampered with along the way."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FilipeCifali
50%
50%
FilipeCifali,
User Rank: Apprentice
3/28/2014 | 5:13:01 PM
Re: not only DNS
This considering that NTP monlist is a old and it's already patched.

NTP can be easly blocked inside the network.

UDP may not be blocked in efficient ways if is needed.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
3/28/2014 | 9:54:02 AM
Is there a larger concern?
Reading between the lines of this article there appears to be a larger concern which is not directly called out.  Because we continue to focus on the traditional threat-based control approaches, such as encryption to protect against eavesdropping or certificates for authentication, are we inadvertently creating "blind" spots that increase opportunities for these attacks?

This is not to say that all existing security countermeasures are failing us but that perhaps we might have a better chance of surviving this modern threat landscape by re-evaluating the use of traditional threat-based approaches and focus on reducing our attack surfaces by following a more risk-based approach.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/28/2014 | 8:36:00 AM
Re: not only DNS
The uptick in NTP and SNMP-based DDoS attacks is interesting. These are also protocols that are forgotten or overlooked by the security team.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/28/2014 | 8:24:22 AM
not only DNS
The number of DDoS attacks is increasing causing even more serious problems.

Not only DNS amplification attacks are threatening the security communities, recently cyber criminals abused also of NTP and SNMP protocols.

Looking the Bandwidth amplification factor we can note that a DNS DDOS has a factor ranging from 28 to 54, meanwhile NTP has a traffic amplification factor of 550.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.