It looks like the Grinch that might steal Christmas will use DNS-based attacks. According to a just-released report,78 percent of cybersecurity professionals surveyed expect to see an increase in DNS-related security threats over the next few weeks1. In order to prepare for these attacks, approximately 59 percent have altered their DNS security as the holiday season approaches2.
In 2020, the number of all DDoS attacks reported to the F5 SIRT identified as DNS amplification nearly doubled, to 31%3. During the 2020 period, 12% of the DDoS attacks were malicious DNS requests against customer DNS servers.
DNS Attacks Front and Center
The NISC council ranked domain hijacking (41%) followed by DNS spoofing/cache poisoning, DNS tunneling, and zombie domain attacks. Over half of those surveyed had been impacted by one of these attacker techniques over the past year.
“Acting as the Internet’s address book and backbone of today’s digital services, it’s unsurprising that DNS is an increasingly appealing vector for malicious actors, particularly as more consumers turn to websites during peak online shopping periods,” said Rodney Joffe, Chairman of NISC. “When successful, DNS attacks can have damaging repercussions to an organization’s online presence, brand and reputation. A domain hijacking attack, for example, can result in hackers taking control of a company’s domain and using it to host malware or launch phishing campaigns that evade spam filters and other reputational protections. In a worst-case scenario, this type of attack can even lead to an organization losing its domain altogether.”
“While organizations are aware of the severity of DNS attacks, it’s important that they continue to take proactive steps to protect themselves and their customers against the different threats,” Joffe continued. “This should involve regular DNS audits and constant monitoring to ensure a thorough understanding of all DNS traffic and activity. Crucially, DNS data can also provide organizations with timely, actionable and important threat insights, allowing them to not only protect against DNS-related threats, but also mitigate the vast majority of malware, viruses and suspicious content before critical systems are infiltrated.”
What You Need to Know
DNS Hijacking refers to any attack that confuses the end-user into thinking he or she is communicating with a legitimate domain name when in reality they are communicating with a malicious domain name or IP address that the attacker has set up. This is also sometimes called DNS Redirection.
There are many ways to perform DNS Hijacking, the most common way we see is used by a captive portal such as a pay-for-use WiFi hotspot: before the user pays for access, the hotspot service captures all DNS queries, and regardless of what was asked, it returns the IP address of the payment server so the user can purchase WiFi access.
Changing the client device setting to use a different DNS server is another common method of attack. The attacker could change the user’s DNS setting, so instead of using the correct address, it uses the IP address of a DNS server under the attacker’s control. When the user queries for bank.example.com, the attacker’s DNS server could return an IP address disguised as the target website, or act as a proxy to capture all the data sent to the real website.
Another way is to gain unauthorized access to the authoritative DNS data, such as stealing someone’s password, exploiting the DNS entry system vulnerability, or some other clever technique. An example of this was in the news in 2019 when the Department of Homeland Security (DHS) issued an emergency directive4 due to malicious tampering of government DNS entries.
Lookalike domains have been front and center as a threat actor technique for quite a while. Some attacks play on the fact that certain domains look similar when using different fonts or encoding. This type of attack is also known as a Lookalike or homograph attack. Lookalike domains are created, for example, by substituting a “1” to replace an “I” (capital i) in a domain name or a URL. Many character substitutions can be detected, but we tend to see what we expect to see. These substitutions are often overlooked and missed by the targeted victims. I use this example for Yahoo very frequently to illustrate how relatively easy this is to do:
| “УАНОО” is not the same as “YAHOO” |
Researchers also find that cybercriminals use valid Transport Layer Security (TLS) certificates to make the lookalike domains appear legitimate. In late 2019, researchers noted that more than 100,000 lookalike domains were impersonating legitimate owners. In some instances, extra words or characters are added to complete the deception. In other cases, different characters are substituted, from other languages or fonts. With support for international characters in DNS, it is even more difficult to spot the difference between similarly spelled terms.
DNS Spoofing refers to any attack that tries to change the DNS records returned to a querier to a response the attacker chooses. This can include some of the techniques described in DNS Hijacking, the use of cache poisoning, or some type of man-in-the-middle style attack. Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably.
As described in the DNS Hijacking section, this technique is widely used by pay-for-use WiFi hotspots at airports and hotels, and sometimes as a means of quarantine by network security teams to isolate an infected device.
Cache poisoning is a more specific type of attack targeting caching name servers in an attempt to control the answers stored in the DNS cache. There are different methods to carry out this attack, but they typically involve flooding the recursive server with forged DNS responses, changing the query ID in each response hoping to guess the right ID at just the right time. This attack is very difficult to detect, and very difficult to guard against unless DNSSEC is fully deployed. But if the attackers were successful, the payoff can be huge. The attackers can potentially impact thousands of users who use the recursive name server that hold the corrupted answers, and this poisoned entry can propagate to other caching servers and affect more users.
Protecting DNS with Foundational Security
BloxOne Threat Defense and Advanced DNS Protection from Infoblox provide a three pronged approach to detecting and blocking attacks using a combination of signature, reputation and analytics based detection. BloxOne Threat Defense uses behavior analytics combined with machine learning to perform real-time analysis of incoming DNS queries, including entropy, n-gram, lexical, size, and frequency analysis, to detect DNS tunnels. Threat Insight, the component in BloxOne Threat Defense that does this, also reduces false positives by detecting benign usage of DNS tunnels. BloxOne also detects and blocks phishing, exploits, ransomware, and other malware.
DNS tunneling can be detected with two important methods—using threat intelligence to find known tunnels (for example, known malicious IPs and known bad domains) or using behavior-based analytics to detect known or previously unknown methods of DNS tunneling. Infoblox uses both methods to uncover previously unknown attacks.
BloxOne Threat Defense also offers Custom Lookalike Domain Monitoring to enable you to stop lookalike socially engineered attacks upon your team and your infrastructure proactively. You can submit your domain or domains frequently used by your organization to the Infoblox Cyber Intelligence Unit (CIU). The CIU will analyze and identify likely lookalike domains that will require monitoring. If these lookalike domains generate any suspicious activity, your organization will promptly receive an alert to potential damaging activity and block access to these malicious domains.
BloxOne also provides deep visibility into compromised devices or potential insider threats by giving detailed information such as device type, IP address, MAC address, and, most importantly, the user associated with the device trying to exfiltrate data. This greatly reduces the time to identify and remediate threats. Security teams can be more productive, identify threats faster, and reduce the risk of a potential breach.
Advanced DNS Protection comprehensively defends the external (Internet facing) and internal DNS server from the widest range of DNS-based attacks, including DNS hijacking, DNS DDoS, NXDOMAIN and cache poisoning, while maintaining service availability and business continuity. The solution intelligently detects and mitigates DNS attacks while responding only to legitimate DNS queries, without the need to deploy security patches. With Infoblox, you can take network reliability to the next level by ensuring that your critical infrastructure—and your business—keep working at all times.
Learn more about DNS security here:
https://www.infoblox.com/products/bloxone-threat-defense/
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.
Endnotes
1https://www.infosecurity-magazine.com/news/cisos-dns-christmas/
2https://advanced-television.com/2020/12/11/report-78-cyber-pros-expect-increase-in-dns-threats/
3https://www.f5.com/labs/articles/threat-intelligence/how-cyber-attacks-changed-during-the-pandemic
4https://cyber.dhs.gov/ed/19-01/
