I recently started working at Infoblox and to be honest with you, it has been a crazy couple of weeks. For my return to blogging I would like to share with you what I have learned since joining Infoblox.
I learned about the security issues that surround the Domain Name System (DNS) and how easy it is to use port 53 – the networking port for DNS traffic – to attack organizations or steal information. I have worked in the security field for over 15 years, but really had no idea traditional security technology can’t secure DNS traffic. So I thought I would warm up with sharing a few facts about DNS Security.
Cyberattacks on DNS servers represent one of the most significant threats to Internet security today, second only to HTTP.
As you all know, DNS works a bit like a phone book, translating a URL such as www.google.com into an IP address to guide the user to the right page. Because DNS is used by nearly all networked applications – including email, Web browsing, ecommerce, Internet telephony, the Internet of Things and more – these types of attacks threaten the very basis of modern communications and commerce.
Whether conducted for financial motives, political gain, or the notoriety of the hacker, the damage from a DNS attack can be devastating. That’s something recent attack targets such as Telia, The New York Times, AT&T and Bank of America might agree on.
In order to protect themselves from external and internal attacks, companies around the world are investing heavily in Internet security solutions. They believe this makes them safe. But what many CIOs and their likes don’t realize is that traditional security measures typically don’t enough protection against DNS attacks because they leave port 53 in the firewall open.
The reason most leave port 53 open and vulnerable is because they want to want to insure a good flow of traffic with no latency for maximum networking efficiency. But in reality, what many IT managers are doing is installing a state-of-the-art front door for while leaving the back window open.
Take the well-known attack on Target as an example. The U.S. retailer was subjected to a string of attacks that targeted their point-of-sale (POS) system. The malware was inside the system for six months exfiltrating data through DNS before anyone realized what was going on.
So how do you protect yourself from these attacks? One of the biggest challenges for IT organizations is the varied and ever-changing options for DNS attacks. Common attack types include distributed denial of service (DDoS), TCP SYN flood attacks, UDP flood attacks, Spoofed Source Address/LAND attacks, Cache Poisoning attacks and Man in the Middle attacks.
Most companies deploying external name servers have chosen hardware running general-purpose operating systems as their platform. While this deployment may be inexpensive, general-purpose servers have several major risks that can increase the propagation of DNS attacks. Common shortcomings of the conventional approach include:
– Many open ports are subject to attack
– Users have OS-level account privileges on the server
– Requires time-consuming manual updates
– Requires multiple applications for device management
– Inconsistent or outdated security procedures.
Instead of relying on general-purpose servers and hoping your internal IT team will never leave a hole in the system, organizations can leverage purpose-built appliances with intuitive interfaces and embedded expertise to improve DNS availability and reduce the risk of DNS attacks.
Don’t leave the back window open – protect your DNS environment.