DNS was identified as a key vulnerability by US-CERT (United States Computer Emergency Response Team) of the Department of Homeland Security (DHS) in the UDP-based amplification attacks. The DHS has become the latest premier security agency to realize the DNS vulnerability. You can read more about all protocols and associated vulnerabilities in their security advisory.
Advanced Persistent Threats (APTs) and malware rely on the Domain Name System (DNS) at various stages of the cyber kill chain to infect devices inside the network, propagate malware and exfiltrate data. According to Cisco 2016 Annual Security Report, 91% of malware uses DNS, during one or more phases in the cyber kill chain, to carry out the campaign, and the longer it takes to detect malware, the higher the cost of damage.
But, many organizations aren’t ready to deal with DNS-based attacks
According to a global survey of over 1,000 security and IT Professionals worldwide conducted by Dimensional Research, 86% of DNS solutions failed to first alert teams of an occurring DNS attack, and nearly one-third of professionals doubted their company could defend against the next DNS attack.
The risk of a DNS-based attack increases exponentially with an increasingly mobile and nomadic workforce, where there are a high number of employees working from multiple and remote locations. This means that the traditional security you use might not be able to provide all the benefits your secure internal network might provide. Whether your DNS is in your network or hosted in the cloud, DDoS attacks can be quite disruptive.
Now the alarm bells are going off in your mind, right?
The combination of the fact that DNS is a commonly accepted exploited vector and the fact that many organizations are not effectively addressing the threat, presents a challenge. Fortunately, Infoblox can help address this gap, which we at Infoblox call the DNS Security Gap. Infoblox has a solution that can help protect the integrity of your network by helping you detect and protect against DNS attacks cited by the DHS security advisory. We call that product Advanced DNS Protection (ADP).
It helps to understand what UDP-based amplification attack means, best practices to counter it, and how Infoblox approaches this issue.
The Break Down of UDP-Based Amplification Attacks
The DHS advisory summarizes the attack in the following words: “A distributed reflective denial-of-service (DRDoS) is a form of distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP servers and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic.” The critical element in the DRDoS is the reflective nature of the attack with an amplification of the response. It is important to understand what a reflective attack is.
What is a Reflective Attack?
In DNS Security for Dummies, authored by Joshua Kao, Robert Nagy, and Cricket Liu, the authors explain the reflection attack:
A reflection attack sends queries that look like they came from the victim of the attack. The response (often a large, amplified answer) is sent to the victim, who never asked, and the amount of the response traffic could potentially overwhelm the victim’s network.
How is a Reflective Attack Implemented?
In a reflection attack, an attacker sends a query to a recursive name server with a spoofed source IP address. Instead of his real IP address, he places the target (victim) IP address as the source IP address. The recursive name server does the legwork, retrieves the answer to the query from the authoritative name server, and sends the answer to the unsuspecting victim.
Stopping Reflection Attacks
DNS Security for Dummies identifies multiple strategies and tools to detect and prevent DNS attacks.
According to the authors of DNS Security for Dummies, a strong mitigation solution will need to have the following capabilities:
- Protect against the widest possible range of DNS attacks for secure, resilient, and trustworthy DNS services even under attack.
- Ensure that your threat intelligence is always up to date and you can automatically defend against new and evolving attacks.
- Provide deep visibility into infected devices on or off-premises.
- Have flexible deployment options – on-premises or cloud (public, private).
HERE ARE SOME OF THE BEST PRACTICES TO MITIGATE THE RISKS FROM US-CERT:
To help mitigate a DDoS attack:
- Use stateful UDP inspections to reduce the impact to critical services on border firewalls/routers.
- Use a Border Gateway Protocol (BGP) to create a Remotely Triggered Blackhole.
- Maintain a list of primary upstream provider emergency contacts to coordinate responses to attacks.
- Upstream providers should conduct mitigation in coordination with downstream customers.
To avoid becoming amplifier nodes and avoid any misuse of Internet resources, ISP network and server administrators should:
- Regularly update software and configurations to deny or limit abuse.
- Disable and remove unwanted services, or deny access to local services over the Internet.
- Use UDP-based protocols to enable network-based rate-limiting to legitimate services provided over the Internet.
- Work with Customer Provider Edge manufacturers for secure configuration and software.
- Use ingress filtering to block spoofed packets.
- Use traffic shaping on UDP service requests to ensure repeated access to over-the-Internet resources is not abusive.
How Infoblox ADP Protects Against Reflection Attacks
By design, Infoblox Advanced DNS Protection blocks reflection attacks on DNS and many other forms of threats. Further, it ignores and drops all other protocols such as Network Time Protocol that use User Datagram Protocol (UDP) as a foundation. The graphic below shows more details on the types of threats that can be blocked by Infoblox ADP as part of the Infoblox Grid deployment.
Contact us to learn more about ADP and how Infoblox can help protect your network.
Further Reading – Don’t be an accomplice in NTP-based DDoS attacks