Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Ways to Keep DNS Safe
Newest First  |  Oldest First  |  Threaded View
davidredekop
50%
50%
davidredekop,
User Rank: Apprentice
7/12/2018 | 10:56:21 PM
What if everybody did it
Curtis, I always enjoy watching you on TWIET, thanks for this article. Well thought out!

Your tweet asked "What would you add to the list?" on your tweet. I'd add that a very simple but powerful technique is to force DNS to an on-premise service. It's technically hijacking, but with a positive outcome. You don't allow any endpoints to make Internet-bound DNS queries but instead force them to use local DNS server(s). The designated servers are the only ones able to make recursive or upstream queries.

This has the simple effect of *preventing* participation in any DNS reflection attack. We do this as a basic standard at www.adamnet.works for all of our products.

By the way, the same thing should be done for NTP since it's also a very common protocol used by endpoints and abused for UDP reflection attacks.

Hijacking NTP and DNS, if it were done as a basic standard on Internet exit points, would disable all future reflection attacks attempting to use those protocols and their respective public servers.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/10/2018 | 4:02:11 PM
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole
I read a great paper titled "Efficient Malicious Packet Capture Through Advanced DNS Sinkhole" (Hyun Mi Jung, Haeng Gon Lee, Jang Won Choi). It caught my eye by stating in the Abstract that among the current botnet countermeasures, "DNS sinkhole is known as the best practice in the world."

Like anything that is based on the collection and analysis of data, however, it seems that, to be most effective, one might have to get hardware to cope with the overhead, which would go against the idea in this article that you won't have to run out and start spending money for hardware. That overhead comes from critical elements in this model, though, that make it ideal and useful to both the whole InfoSec community and organizations looking to be more proactive in their security planning.

In brief, as described by this paper, you'd have a combination of systems that monitor, analyze and detect, then re-direct as necessary. So, if an organization has a PC that is infected by a malicious bot in a target security control agency AND initializes a connection to a command and control (C&C) system (the malicious controller of the bot), that traffic is detected as part of the monitored traffic at the target organization, and then redirected to a DNS sinkhole server rather than the real DNS server. The catch is the incoming traffic has to be recognized as part of a malicious domain (or identified as one realtime with AI support and access to a database of profiles such as this project collects). When those queries go to the sinkhole server {in this paper's model, at least), they are routed through the Korea Research Environment Open NETwork (KREONET) and the target organization's Threat Management System (TMS). The point of this is to collect all the traffic from the zombie PC with the bot into a log to better understand its purpose, collect intel on the bot and develop a profile of the attacker.

Sinkholes have been used to help thwart WannaCry and Avalanche threats. I'm not sure how sophisticated those sinkholes were, but as defined in this paper, probably not every organization could implement such an architecture. But as malicious bots, whether stationed on remote web servers or installed via malware on PCs, become rampant, this model of redirection and analysis, and ideally data sharing among the InfoSec community, is more crucial than ever to keep threats minimized and to better arm the InfoSec community as a whole.


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...