In November 2018, Cisco Talos researchers revealed a major new cyber-espionage operation in which attackers harvested log-ins from governments and private sector firms in the Middle East. The so-called ‘DNSpionage’ attacks were subsequently claimed by FireEye to be part of a highly successful Iranian state-sponsored campaign to steal credentials from victims – operating at “an almost unprecedented scale.”
The attacks, and another major campaign revealed earlier this year, shone a spotlight on an often overlooked part of IT infrastructure: the Domain Name System (DNS). This foundational layer of the internet represents a potentially open door in an organization’s IT infrastructure for hackers to sneak through. Closing and guarding it will require an industry-wide response.
What is DNS?
Often described as the ‘phone book of the internet,’ the DNS protocol acts like a kind of digital signage system, converting the domain names humans type into their computers into the IP addresses machines need to communicate online. Without it, simple tasks such as web browsing would become extremely labor intensive, making it difficult for users to find the websites, apps and connected machines they’re looking for online.
This phone book is spread across a dispersed global network of DNS servers designed to ensure users are pointed to the right web properties. When a browser query hits a recursive resolver, usually run by an ISP or other third party, the recursive resolver will then talk to an authoritative global root server which stores info on top level domains (TLDs), and, in turn, an authoritative TLD name server which has IP address info for second-level domains within the TLD. The request then goes to the domain name server, which returns an IP address so the user can visit the relevant site.
“This is the game of cat and mouse that is continually being played as vulnerabilities are plugged”
One Vector, Multiple Attacks
This complex web of inter-linked servers run by ISPs, telecoms companies and some large corporates means a potentially huge attack surface for hackers to target. The DNS was also designed and built decades ago, long before commercial cybercrime, with usability rather than security in mind. This leaves it open to abuse.
According to Paul Vixie, DNS pioneer and CEO of Farsight Security, there are three main types of DNS-based attack: amplification, poisoning (aka spoofing) and bypass. The former is one of several ways to DDoS a victim organization via DNS.
“DDoS amplification occurs because DNS uses a stateless protocol and because requesting source IP addresses are trivially forged,” he tells Infosecurity. “This means I can cause your DNS server to receive tens or even hundreds of gigabits of unsolicited traffic by forcing your IP address on requests to high performance DNS servers all around the world. That attack will make your server, and perhaps your network connection, unusable.”
DNS poisoning occurs “when an attacker can launch well-timed answers during the brief interval when a client is waiting for a real answer to an outstanding question,” he continues. Sometimes this is achieved by attacking the DNS servers themselves to change the answers to queries stored there, diverting users unwittingly to phishing or malicious sites. Also known more generically as DNS hijacking, this is the technique used by those Iranian attackers.
DNS bypass threats happen when organizations or netizens use third-party services like DNS-over-HTTPS or Google’s 8.8.8.8. “These services are well-intentioned but are policy-ignorant, and many risks to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service,” explains Vixie.
One emerging bypass threat that has hit the headlines recently is called a DNS rebinding attack. Although it has been known about for some time, concerns are growing. Recently described by Tripwire as “a technique that turns a victim’s browser into a proxy for attacking private networks,” it could spell serious trouble in the future as billions of IoT devices are vulnerable to the threat. It could become an increasingly popular way to sabotage or conscript these connected endpoints into botnets.
DNS also provides a handy channel for stolen data to leave the organization. As traffic is essential to the smooth running of the business, most firewalls are set to whitelist DNS traffic. By using so-called ‘tunneling’ techniques, attackers can hide data in DNS packets and smuggle it out of the victim organization.
A Game of Cat & Mouse
DNS threats are on the rise. Just months after the US CERT issued an emergency directive following the DNSpionage attacks, researchers discovered another sophisticated campaign ongoing since 2017. The so-called Sea Turtle attackers hijacked DNS servers around the world to harvest sensitive log-ins from military and government organizations in the Middle East. However, it’s not just large-scale nation state-like attacks that are on the increase.
Over three-quarters (77%) of global organizations were hit by a DNS attack in 2018, with the average firm suffering seven attacks, according to EfficientIP research from last year. Some 40% of respondents suffered cloud outages, one-third (33%) were victims of data theft and 22% lost business as a result. Globally, the average cost per DNS attack rose 57% year-on-year, but in the UK the figure soared 105%, with firms paying nearly $4m annually as a result.
The bad news is that DNS attacks are likely to become more popular as security measures like IDS/IPS, next-gen firewalls and endpoint tools deter hackers from using other threat vectors, according to Infoblox technical director for Western Europe, Gary Cox.
“This is the game of cat and mouse that is continually being played as vulnerabilities are plugged,” he tells Infosecurity.
The DNS threat will also get harder to spot, adds Nominet head of IT security, Cath Goulding.
“There are various different devices that now connect to external networks,” she explains. “It’s no longer just desktop terminals, but printers, lights, access controls, factory machines and more. With so much traffic going through the DNS, it’s very easy to hide malicious packets in among genuine data.”
Taking on the DNS Threat
Combatting the growing DNS threat starts with improving awareness. “Despite the danger, so many businesses seem to turn a blind eye to protecting their DNS. In fact, 75% of the C-suite say they have gaps in their knowledge relating to how the DNS can be used in cyber-attacks against their organization,” argues Goulding.
However, the very ubiquity that makes DNS an attractive threat vector for attackers can make it a useful place from which to mitigate threats.
“What people don’t realize is that so many threats can be stopped at a DNS level, as almost all traffic has to pass through there,” Goulding explains. “Monitoring it in real time means that threats can be caught and dealt with before they go further. Many techniques used by hackers can be caught and stopped by DNS monitoring, snuffed out before they get through to attack critical systems.”
Experts also point to the need for improved employee security awareness, which will help to teach them not to click on malicious phishing links that may be used as part of rebinding attacks.
“DNS firewalling/response policy zones can also be a great asset in the fight against DNS rebinding, but its effectiveness is directly aligned with the quality of intelligence data that it is acting on. High quality, highly-curated threat intelligence with low false positives should be your starting point,” adds Infoblox’s Cox. “In addition to thinking about ways to protect against DNS rebinding, companies should be checking with their IoT suppliers to ensure APIs and web interfaces are secure in the first place – so using a HTTPS connection by default instead of HTTP would be a good starting point.”
ISACA board director, Asaf Weisburg, argues that basic housekeeping can go a long way to improving the resilience of DNS servers.
“This includes keeping the DNS server up-to-date and upgrading to the latest version available, as well as conducting a periodic review of logs, DNS zones configuration and permissions,” he says. “Hardening a DNS server may further improve its resilience, including by restricting zone transfer to specific hosts by allowing transfer to trusted servers only, disabling DNS recursion to prevent cache poisoning attacks, and by applying security through obscurity by forbidding the BIND version from being exposed.”
DNSSEC has been touted as a great way to prevent DNS hijacking and poisoning. Yet despite being developed in the late 1990s, take-up has been disappointingly low, leaving plenty of exposed servers for attackers to target. In fact, less than 20% of the world have adopted the specifications, according to APNIC. It remains to be seen whether a recent plea from ICANN for greater adoption of the standard finally spurs the concerted, industry-wide response required to make a serious difference.
Whatever happens, it looks like the DNS is going to play an increasingly important role in cybersecurity over the coming years, for both defenders and attackers.