The global Domain Name System (DNS) is ubiquitous across the Internet. It's absolutely fundamental to the way we work. It's a whole lot easier to bring up a browser and type www.Google.com rather than try to remember its more complex address of http://18.104.22.168/.
DNS is so important that we tend to regard it as Internet plumbing: it goes everywhere, it gets through all the firewalls and it's there when we need it-usually. Unfortunately, DNS also has the characteristic of being poorly secured, which can lead to all sorts of problems.
Just as metal thieves have figured out that copper plumbing in old houses has value as scrap, cyber attackers have learned the value in using DNS to attack infrastructures and steal data.
Most of us became acutely aware of how DNS could be abused as an attack tool in March 2013 when the anti-spam organization Spamhaus was hit with a massive 300Gbps DNS reflection (or DNS amplification) DDoS attack. According to CloudFlare, the security company called in to rescue Spamhaus from the attack, DNS reflection has become the source of the largest Layer 3 DDoS attacks they see, many of which exceed 100Gbps.
In a blog post detailing the Spamhaus case, CloudFlare explained how a DNS reflection attack works:
The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.
Following that attack, network administrators the world over were advised to lock down their open DNS resolvers. Good information on how to do that can be found in this Infoblox blog post.
Another kind of attack called resource exhaustion is frequently aimed at ISPs and their DNS resolver infrastructure. Security vendor Cloudmark describes this type of attack in a white paper:
In order to perform this attack, the attacker must first have registered a domain and designated the intended target's name server as the authoritative server for that domain or use an existing domain whose authoritative server is already the intended target.
Then using a botnet of compromised machines, the attacker directs the machines to send a flood of requests through a botted machine's ISPs' recursive name servers. Additionally the attacker may flood requests through any known open resolvers that may reside within an ISP's network. Each request will contain a unique, randomized, and non‐existent sub‐domain of the previously registered domain (ex. kbsruxixqf.www.500sf.com, adujqzutahyp.www.500sf.com).
Sign up for CIO Asia eNewsletters.