It would be any IT professional’s worst nightmare to have to dismiss the company’s entire workforce due to a network-access issue. But in spite of dozens of quarterly reports from several vendors citing increased infrastructure-based attacks, many network teams continue to ignore the vulnerabilities in DNS infrastructure.
Typically, a general-purpose Windows server handles DNS along with many other services, presenting a large attack surface and leaving the server wide open for attacks. Most firewalls have DNS port 53 open, making it a very accessible transport mechanism for attackers.
But there is more at stake than employee downtime. Here are some of the things that are going on undetected in many of the networks we’ve seen.
A Perfect Launch Pad for Internal Malware-based DDoS Attacks
We’ve recently seen a case in which the internal DNS servers had experienced an unexplainable outage. It seemed as if attackers had targeted a known vulnerability on a DNS server. In another case, Infoblox DNS servers front-ending the Microsoft DNS layer detected a sudden rise in outbound queries to non-existent destinations, an increasingly common type of attack intended to exhaust the server. IT tracked the true source of the spoofed IPs and found that it was coming from malware on a couple of internal servers. Given the nature of DNS service, it is not hard for hackers to locate and target internal to cause intended behavior.
The Wild West of Malware Lurking in Your Network
Perimeter security appliances are great, but they miss all the interesting action that happens within the internal network and inside the VLAN. While running DNS Firewall product trials on endpoints, we’ve seen instances of old-school malware such as the conflicker worm popping up as well as the more sophisticated Cryptolocker and its variants found on laptops and unmanaged devices alike. In reality, there are a lot more surprises that our customers experience but for obvious reasons, they don’t want to share them. As with Las Vegas, what happens inside the network, stays inside the network.
A Shortcut for Exfiltrating Data
Data exfiltration attacks can take the form of the most dangerous low-and-slow exfiltration technique. With a QPS rate as low as 40 – 50 malware can successfully gather, encrypt, fragment, and finally exfiltrate sensitive data. Basic security audits in most networks have flagged this as an open channel for malware exfiltration. While some had intrusion prevention systems (IPSs) and firewalls that were capable of blocking instances of these attempts, 90 percent of the time, they were not configured to inspect this specific traffic because of performance, false positives, and change management concerns. In fact, a lot of networks we’ve seen allow DNS to be served by an external DNS server or by a misconfigured or rogue DHCP and DNS servers.
So as you can see, there are worse things than your worst nightmare—things like having your data held for ransom, or seeing your customer’s private data stolen and exposed, and having the performance of your DNS servers crippled because they are acting as unwitting accomplices in a denial-of-service attack on someone else. It’s time to recognize that DNS security is an important brick in the wall that surrounds your network, and to take the steps necessary to detect malware, pinpoint infected devices, and block outbound malware communications.