Because of the uniqueness of the sub‐domains, each request will then trigger a recursive lookup against the target's name server. As the attack grows in size, the amount of requests hitting the intended target's name servers grows as well. Eventually the target's DNS infrastructure will buckle under the load, either from system resource depletion, network saturation or both.
Once the ISP's DNS resolver infrastructure goes down, there is essentially no Internet access for the provider's subscribers. This underscores the need for ISPs to deploy an on premise DDoS solution in order to fend off this and other types of attacks.
Another kind of threat that abuses DNS is called DNS hijacking. This type of malicious attack overrides a computer's TCP/IP settings to point it to a rogue DNS server, thereby invalidating the default DNS settings. This kind of attack frequently involves home routers that are taken over by a hacker, so that your computer now is directed to a rogue DNS server that is owned and maintained by the hacker rather than going to your ISP's legitimate DNS resolver. When you type in the domain name of your desired websites, the rogue server translates those names to the IP addresses of malicious websites where you might be subjected to malware or unwanted advertising.
Home routers aren't the only devices affected by DNS hijacking. ARS Technica says that a Google DNS server was hijacked to Venezuela for about 23 minutes in March of 2014, showing that even the most savvy Internet companies can be vulnerable to attack from time to time.
The folks at Cloudmark report that there is another kind of DNS abuse that should be of concern to service providers, enterprises and basically anyone who is running any kind of sensitive network security: unauthorized DNS tunneling, usually for the purpose of exfiltrating data. Cloudmark's white paper on DNS tunnelingexplains how it's done:
DNS tunneling uses DNS queries and responses to send data that cannot otherwise be sent via traditional network connections. The tunnel consists of a client inside a restricted network and a server that acts as an authoritative DNS server. To send data from the client to the server, the client encodes data in the hostname portion of specifically constructed DNS requests. To send data from the server to the client, the server encodes data either in the payload of DNS response records or CNAME responses to the original request.
Depending on the tunneling software used, the client and server either create a point‐to‐point virtual network interface over which any traffic can pass or map local port numbers on the client to specific addresses and port numbers on the server.
Because DNS is completely ubiquitous, it passes through firewalls and the traffic is almost never inspected. An attacker wanting to exfiltrate data from an organization can actually encode the data inside real DNS packets so it's hard to detect. Stopping this kind of activity requires thorough packet analysis, which Cloudmark now offers in its new Cloudmark Security Platform for DNS.
DNS may be absolutely fundamental to the way the Internet works, but it was never designed with security in mind. Security-minded organizations will need to plug those holes for themselves.
Source: Network World
Sign up for CIO Asia eNewsletters.