Perimeter

10/4/2017
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DNS a 'Victim of its Own Success'

Why securing the Domain Name System remains an afterthought at many organizations.

It's been nearly one year since the massive DDoS attack on Domain Name Service (DNS) provider Dyn that disrupted major websites including Amazon, CNN, Netflix, Okta, Pinterest, Reddit, and Twitter, but DNS security remains an enigma for many businesses.

According to a new study conducted by Dimensional Research on behalf of Infoblox, some three out of 10 companies have been hit with cyberattacks on their DNS infrastructure, 93% of whom suffered downtime - 40% of them for an hour or more. But that likely just scratches the surface of the volume of attacks on DNS, experts say, because many DNS attacks are tough to detect.

"That number [of attacks] seems a little low," says DNS pioneer Paul Vixie, CEO and founder of DNS security firm FarSight Security, of the new data. Vixie, who is the principal author of the pervasive BIND DNS server software and creator of several DNS standards, notes that it's difficult for some organizations to pinpoint an attack came via their DNS.

Downtime costs, too, are likely higher than the Dimensional/Infoblox study data shows. Some 54% of organizations in the study say they lost $50,000+ to a DNS attack, while nearly a quarter lost $100,000+. "There are things you can count, but you don't know about every attack that happens or every actual cost because it isn't always" quantifiable, so the losses could be more, Vixie notes.

Prakash Nagpal, vice president at network and DNS security firm Infoblox, concedes that there likely are more DNS attacks that just aren't discovered. "I do think more companies have been" hit than that, he says of the data. The most well-known DNS threats are distributed denial-of-service attacks, of course, he says. But "DNS is not just about DDoS attacks," Nagpal says.

"In a lot of cases they [victims] don't know they were subjected to DNS attacks because they [the attacks] are so subtle … I don't think people make the connection between DNS and malware" distribution and data exfiltration, he says.

An infected machine has to "call home" at some point, he says, and one of the most common types of DNS attacks is where attackers use the DNS to siphon data from the victim organization. The infected machine is forced to make DNS requests to the attacker's server, which in turn pulls the stolen data from that machine during those interactions. So if an executive's laptop is infected, the attackers can pull sensitive data such as financial reports, for example, via those DNS queries, he says.

"While DDoS remains a big source of downtime and a huge source of attack, where DNS is being used in data exfiltration" should also be of concern, according to Nagpal.

The Infoblox study, which queried more than 1,000 security and IT professionals worldwide, illustrated how reactive DNS security tends to be in organizations: three quarters of organizations who haven't experienced a DNS attack say antivirus monitoring is their main focus security-wise, but 70% of those who've been hit by a DNS attack rank DNS security as their number one security priority.

"DNS is a victim of its own success. How many times do you think about how your phone call gets routed? You're not supposed to; the same in the IP space," Nagpal says. There also can be a learning curve for DNS and its security implications, he says.

"DNS [security] is still not top of mind," Nagpal says.

The Oct. 21 wave of DDoS attacks on Dyn – courtesy of the historic Mirai botnet of infected Internet of Things devices – used masked TCP and UDP traffic via Port 53 to overwhelm the DNS provider's infrastructure as well as recursive DNS retry traffic. It was the DNS traffic sent in the DDoS that was most perplexing when it came to detecting it.

Scott Hilton, executive vice president of product for Dyn, explained in the aftermath that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten to 20 times the normal DNS traffic levels thanks to malicious and legitimate retries.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in a blog post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

More DNS Security Woes

Meanwhile, Google researchers this week disclosed they had found seven security flaws in DNS software used in Android, home routers, and IoT devices. The flaws in Dnsmasq since have been fixed, but the chance of most IoT devices getting them is slim since those devices traditionally don't get software updates. Vixie says the bugs have to do with the software, not DNS itself. "It's a cute little piece of software, tiny, and not sloppy code. But it had bugs" like most other software and these devices run it, he says.

Android devices are less at risk given built-in security features, but millions of IoT devices could be exploited, experts say. Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team, says the RCE flaw (CVE-2017-14491) specifically can be abused via malicious DNS replies, but would be difficult to exploit to build a Mirai-type botnet without the attacker jumping through various hoops. Among those: he or she would have to force the vulnerable device to issue a DNS request that the attacker would reply to, for example. Even so, he says "the possibility of widespread attack cannot be entirely ruled out." 

It's another example of just how IoT devices can easily be abused. "The cheaper the device, you more you can fear it," Vixie says. "I expect more Mirais" to emerge, he adds, because locking down IoT devices is a major cost that doesn't jive economically with low-cost consumer devices.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...