Two of the most popular gateways in corporate networks are HTTP and DNS. For a long time, IT organizations have been protecting the IT infrastructure by providing firewalls, next-generation firewalls, Web application firewalls, IDS / IPS solutions, and application delivery controllers. Thus, while HTTP is a secure doorstep with many locks and guarded around the clock, DNS is the neglected back door. Thieves don’t care. They want the easiest way in, and in most companies, DNS provides that because it is unfortunately ignored as a threat vector.
The topic of DNS security has recently become more prominent, especially in the wake of a large-scale Distributed Denial of Service (DDoS) attacks on the DNS provider Dyn (now an Oracle company). The October 2016 attack claimed several million endpoints. It also temporarily took down a variety of websites and cloud services such as Twitter that rely on Dyn for the resolution of the IP addresses. And more recently with the ransomware attacks like WannaCry and Jaff that both utilized DNS to complete the attack chain.
These incidents showed the vulnerability of the “Internet Address Book” for DDoS and potential Ransomware attacks. For this reason, companies are advised to operate their own local DNS server, secondary DNS servers at their service provider as well as an optional DNS hosting provider such as Dyn.
DNS as an Attack Vector
The possibilities of DNS abuse are much more diverse than the approach of paralyzing the DNS server by flooding it with DDoS requests, as was the case in the attack on Dyn. More sophisticated attack variants include Botnet-based brute-force attacks through Distributed Reflection DoS in combination with DNS amplification and the malicious redirection of DNS queries using DNS hijacking or DNS cache poisoning.
DNS signaling mechanisms allow attackers to use DNS queries to transport other protocols such as HTTP, FTP or SMTP encrypted through DNS sessions. The attackers esentially build a VPN, except that they use DNS as a transfer protocol to conceal the VPN structure.
Once attackers have established a DNS-based VPN, they can open up all the possibilities of a private tunnel. They can use FTP to inject the code for remote access trojans (RATs) into the corporate network or use the tunnel for data exfiltration from the company. Usually, that can all be done without having to worry about firewall rules, IDS / IPS signatures or behavior-based network monitoring.
This creative use of DNS is particularly suitable for advanced persistent threats (APTs). In an APT, the cybercriminals do not simply want to compromise any network but have a concrete goal in mind, for example, the design plans or the product roadmap of a manufacturing company. Once the desired data is found, the attacker can exfiltrate the data in a quiet manner. This does not even result in load peaks in the network traffic, which could be noticed by a network monitoring solution.
Measures against DNS abuse
A new generation of solutions for the defense of DNS-based attacks has emerged called “Advanced DNS Protection.” These solutions combine DNS firewalling and DNS monitoring with sophisticated analytics mechanisms such as DNS Deep Packet Inspection and automated measures to prevent DNS abuse as quickly and effectively as possible.
DNS is the open backdoor
IT organizations have so far put too much emphasis on the prominent attack vector HTTP in the protection of their networks. The front door has been protected, reinforced and guarded with all available means, but the back door DNS is not even locked. It is high time to close this backdoor. Organizations have to be as intelligent and proactive with DNS as they are in protecting the front entrance.