Perimeter

10/4/2017
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DNS a 'Victim of its Own Success'

Why securing the Domain Name System remains an afterthought at many organizations.

It's been nearly one year since the massive DDoS attack on Domain Name Service (DNS) provider Dyn that disrupted major websites including Amazon, CNN, Netflix, Okta, Pinterest, Reddit, and Twitter, but DNS security remains an enigma for many businesses.

According to a new study conducted by Dimensional Research on behalf of Infoblox, some three out of 10 companies have been hit with cyberattacks on their DNS infrastructure, 93% of whom suffered downtime - 40% of them for an hour or more. But that likely just scratches the surface of the volume of attacks on DNS, experts say, because many DNS attacks are tough to detect.

"That number [of attacks] seems a little low," says DNS pioneer Paul Vixie, CEO and founder of DNS security firm FarSight Security, of the new data. Vixie, who is the principal author of the pervasive BIND DNS server software and creator of several DNS standards, notes that it's difficult for some organizations to pinpoint an attack came via their DNS.

Downtime costs, too, are likely higher than the Dimensional/Infoblox study data shows. Some 54% of organizations in the study say they lost $50,000+ to a DNS attack, while nearly a quarter lost $100,000+. "There are things you can count, but you don't know about every attack that happens or every actual cost because it isn't always" quantifiable, so the losses could be more, Vixie notes.

Prakash Nagpal, vice president at network and DNS security firm Infoblox, concedes that there likely are more DNS attacks that just aren't discovered. "I do think more companies have been" hit than that, he says of the data. The most well-known DNS threats are distributed denial-of-service attacks, of course, he says. But "DNS is not just about DDoS attacks," Nagpal says.

"In a lot of cases they [victims] don't know they were subjected to DNS attacks because they [the attacks] are so subtle … I don't think people make the connection between DNS and malware" distribution and data exfiltration, he says.

An infected machine has to "call home" at some point, he says, and one of the most common types of DNS attacks is where attackers use the DNS to siphon data from the victim organization. The infected machine is forced to make DNS requests to the attacker's server, which in turn pulls the stolen data from that machine during those interactions. So if an executive's laptop is infected, the attackers can pull sensitive data such as financial reports, for example, via those DNS queries, he says.

"While DDoS remains a big source of downtime and a huge source of attack, where DNS is being used in data exfiltration" should also be of concern, according to Nagpal.

The Infoblox study, which queried more than 1,000 security and IT professionals worldwide, illustrated how reactive DNS security tends to be in organizations: three quarters of organizations who haven't experienced a DNS attack say antivirus monitoring is their main focus security-wise, but 70% of those who've been hit by a DNS attack rank DNS security as their number one security priority.

"DNS is a victim of its own success. How many times do you think about how your phone call gets routed? You're not supposed to; the same in the IP space," Nagpal says. There also can be a learning curve for DNS and its security implications, he says.

"DNS [security] is still not top of mind," Nagpal says.

The Oct. 21 wave of DDoS attacks on Dyn – courtesy of the historic Mirai botnet of infected Internet of Things devices – used masked TCP and UDP traffic via Port 53 to overwhelm the DNS provider's infrastructure as well as recursive DNS retry traffic. It was the DNS traffic sent in the DDoS that was most perplexing when it came to detecting it.

Scott Hilton, executive vice president of product for Dyn, explained in the aftermath that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten to 20 times the normal DNS traffic levels thanks to malicious and legitimate retries.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in a blog post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

More DNS Security Woes

Meanwhile, Google researchers this week disclosed they had found seven security flaws in DNS software used in Android, home routers, and IoT devices. The flaws in Dnsmasq since have been fixed, but the chance of most IoT devices getting them is slim since those devices traditionally don't get software updates. Vixie says the bugs have to do with the software, not DNS itself. "It's a cute little piece of software, tiny, and not sloppy code. But it had bugs" like most other software and these devices run it, he says.

Android devices are less at risk given built-in security features, but millions of IoT devices could be exploited, experts say. Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team, says the RCE flaw (CVE-2017-14491) specifically can be abused via malicious DNS replies, but would be difficult to exploit to build a Mirai-type botnet without the attacker jumping through various hoops. Among those: he or she would have to force the vulnerable device to issue a DNS request that the attacker would reply to, for example. Even so, he says "the possibility of widespread attack cannot be entirely ruled out." 

It's another example of just how IoT devices can easily be abused. "The cheaper the device, you more you can fear it," Vixie says. "I expect more Mirais" to emerge, he adds, because locking down IoT devices is a major cost that doesn't jive economically with low-cost consumer devices.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When Your Sandbox Fails
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  4/11/2019
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
8 'SOC-as-a-Service' Offerings
Steve Zurier, Freelance Writer,  4/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1840
PUBLISHED: 2019-04-18
A vulnerability in the DHCPv6 input packet processor of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to restart the server and cause a denial of service (DoS) condition on the affected system. The vulnerability is due to incomplete user-supplied input validation when...
CVE-2019-1841
PUBLISHED: 2019-04-18
A vulnerability in the Software Image Management feature of Cisco DNA Center could allow an authenticated, remote attacker to access to internal services without additional authentication. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vuln...
CVE-2019-1826
PUBLISHED: 2019-04-18
A vulnerability in the quality of service (QoS) feature of Cisco Aironet Series Access Points (APs) could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation on QoS fields within Wi-Fi fra...
CVE-2019-1829
PUBLISHED: 2019-04-18
A vulnerability in the CLI of Cisco Aironet Series Access Points (APs) could allow an authenticated, local attacker to gain access to the underlying Linux operating system (OS) without the proper authentication. The attacker would need valid administrator device credentials. The vulnerability is due...
CVE-2019-1830
PUBLISHED: 2019-04-18
A vulnerability in Locally Significant Certificate (LSC) management for the Cisco Wireless LAN Controller (WLC) could allow an authenticated, remote attacker to cause the device to unexpectedly restart, which causes a denial of service (DoS) condition. The attacker would need to have valid administr...