Three types of DNS attacks and how to deal with them
The Syrian Electronic Army, a pro-Assad hacking group, altered the DNS records used by the New York Times, Twitter, and the Huffington Post. The changes forced one site offline and caused problems for the others. Here are three ways such attacks happen, and how they can be mitigated
By Steve Ragan , Staff Writer
August 28, 2013 — CSO —
DNS servers work by translating IP addresses into domain names. This is why you can enter CIO.com into the browser to visit our sister site, instead of trying to remember 18.104.22.168.
When DNS is compromised, several things can happen. However, compromised DNS servers are often used by attackers one of two ways. The first thing an attacker can do is redirect all incoming traffic to a server of their choosing. This enables them to launch additional attacks, or collect traffic logs that contain sensitive information.
The second thing an attacker can do is capture all in-bound email. More importantly, this second option also allows the attacker to send email on their behalf, using the victim organization's domain and cashing-in on their positive reputation. Making things worse, attackers could also opt for a third option, which is doing both of those things.
"In the first scenario this can be used to attack visitors and capture login credentials and account information. The common solution of mandating SSL works until the attacker takes advantage of [the second option] to register a new certificate in your name. Once they have a valid SSL cert and control of your DNS (one and the same, basically) — they have effectively become you without needing access to any of your servers," Rapid7's Chief Research Officer, HD Moore, told CSO in an email.
In a blog post, Cory von Wallenstein, the CTO of Dyn Inc., a firm that specializes in traffic management and DNS, explained the three common types of DNS attacks and how to address them.
The first type of DNS attack is called a cache poisoning attack. This can happen after an attacker is successful in injecting malicious DNS data into the recursive DNS servers that are operated by many ISPs. These types of DNS servers are the closest to users from a network topology perspective, von Wallenstein wrote, so the damage is localized to specific users connecting to those servers.
"There are effective workarounds to make this impractical in the wild, and good standards like DNSSEC that provide additional protection from this type of attack," he added.
If DNSSEC is impractical or impossible, another workaround is to restrict recursion on the name servers that need to be protected. Recursion identifies whether a server will only hand out information it has stored in cache, or if it is willing to go out on the Internet and talk to other servers to find the best answer.