DNS servers work by translating IP addresses into domain names. This is why you can enter CIO.com into the browser to visit our sister site, instead of trying to remember 18.104.22.168.
When DNS is compromised, several things can happen. However, compromised DNS servers are often used by attackers one of two ways. The first thing an attacker can do is redirect all incoming traffic to a server of their choosing. This enables them to launch additional attacks, or collect traffic logs that contain sensitive information.
The second thing an attacker can do is capture all in-bound email. More importantly, this second option also allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation. Making things worse, attackers could also opt for a third option, which is doing both of those things.
"In the first scenario this can be used to attack visitors and capture login credentials and account information. The common solution of mandating SSL works until the attacker takes advantage of [the second option] to register a new certificate in your name. Once they have a valid SSL cert and control of your DNS (one and the same, basically) — they have effectively become you without needing access to any of your servers," Rapid7's Chief Research Officer, HD Moore, told CSO in an email.
In a blog post, Cory von Wallenstein, the CTO of Dyn Inc., a firm that specializes in traffic management and DNS, explained the three common types of DNS attacks and how to address them.
The first type of DNS attack is called a cache poisoning attack. This can happen after an attacker is successful in injecting malicious DNS data into the recursive DNS servers that are operated by many ISPs. These types of DNS servers are the closest to users from a network topology perspective, von Wallenstein wrote, so the damage is localized to specific users connecting to those servers.
"There are effective workarounds to make this impractical in the wild, and good standards like DNSSEC that provide additional protection from this type of attack," he added.
If DNSSEC is impractical or impossible, another workaround is to restrict recursion on the name servers that need to be protected. Recursion identifies whether a server will only hand out information it has stored in cache, or if it is willing to go out on the Internet and talk to other servers to find the best answer.
"Many cache poisoning attacks leverage the recursive feature in order to poison the system. So by limiting recursion to only your internal systems, you limit your exposure. While this setting will not resolve all possible cache poisoning attack vectors, it will help you mitigate a good portion of them," Chris Brenton, Dyn Inc.'s Director of Security, told CSO in an email.
The second type of DNS attack happens when attackers take over one or more authoritative DNS servers for a domain. In his post, von Wallenstein noted that authoritative DNS hosting is the type of service that his firm provides to Twitter. However, Dyn Inc. wasn't targeted by the SEA, so their services to Twitter were not impacted by Tuesday's incident.
If an attacker were to compromise an authoritative DNS, von Wallenstein explains, the effect would be global. While that wasn't what the SEA did during their most recent attack, it's been done before.
In 2009, Twitter suffered a separate attack by the Iranian Cyber Army. The group altered DNS records and redirected traffic to propaganda hosted on servers they controlled. The ability to alter DNS settings came after the Iranian Cyber Army compromised a Twitter staffer's email account, and then used that account to authorize DNS changes. During that incident Dyn Inc. was the registrar contacted in order to process the change request.
Defense against these types of attacks often include strong passwords, and IP-based ACLs (acceptable client lists). Further, a solid training program that deals with social engineering will also be effective.
"I think the first step is recognizing the importance of authoritative DNS in our Internet connectivity trust model," Brenton said.
All the time and resources in the world can be placed into securing a webserver, but if an attacker can attack the authoritative server and point the DNS records at a different IP address, "to the rest of the world its still going to look like you've been owned," Brenton added.
"In fact it's worse because that one attack will also permit them to redirect your email or any other service you are offering. So hosting your authoritative server with a trusted authority is the simplest way to resolve this problem."
The third type of DNS attack is also the most problematic to undo. It happens when an attacker compromised the registration of the domain itself, and then uses that access to alter the DNS servers assigned to it.
This is also what the SEA did when they went after Twitter and the New York Times. They gained access to MelbourneIT, the registrar responsible for the domains targeted, and changed the authoritative DNS servers to their own.
"At this time, those authoritative nameservers answered all queries for the affected domains. What makes this attack so dangerous is whats called the TTL (time to live). Changes of this nature are globally cached on recursive DNS servers for typically 86,400 seconds, or a full day. Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed," von Wallenstein wrote.
Again, Brenton's advice for authoritative DNS will apply here as well. It's also possible to host authoritative servers within the organization, allowing for complete control.
"If you are going to run your own authoritative servers, make sure you follow the best security practices that have been identified by SANS and the Center for Internet Security," Brenton advised.