22 Apr, 2019

How a DNS Attack Could Steal Your Business Site Traffic

Defending against DNS attacks is difficult, but there are ways to reduce the harm they cause. Here are some tips to recognize the problem.
The Domain Name System (DNS) makes the Internet work. Without it, every connection would require remembering an IP address like instead of a domain name like google.com. It would be impossible for humans to use. The DNS consists of a vast number of servers around the world, translating domain names into IP addresses. People rely on it every day without thinking about it.

When it goes wrong, Internet connections fall apart. Clients can't reach servers; or worse, they reach servers which impersonate the ones they expect. The effect is like a denial of service attack, except that it's an indirect approach and harder to defend against. When clients reach a fake server, it may steal their credentials.

Defending against DNS attacks is difficult, but there are ways to reduce the harm they cause. Just knowing quickly when they happen is a big help.
Types of DNS attacks
The attacks fall into a number of categories. The most important are domain spoofing, denial-of-service attacks, and domain hijacking.

Domain spoofing
The category called domain spoofing includes all the ways of getting a DNS request to return an invalid result. If it succeeds, users will reach a bogus server. Typically, it's a lookalike site designed to trick people into giving their credentials or to download malware.

A man-in-the-middle attack interposes a malicious node between the client and the DNS server and alters the request or the response. It can work because the DNS protocol isn't secure. The DNSSEC protocol adds authentication, making such attacks harder, but even then the request and response aren't encrypted. If any step along the Internet connection (such as a public Wi-Fi hotspot or proxy) is untrustworthy, there's a risk of spoofing by this technique.

Another technique is to set up a malicious DNS server and publicize it. This isn't a very effective technique, since it will only affect clients that use it. A malicious VPN can use this technique, directing its users to deceptive sites through its own DNS.

The best-known technique is cache poisoning. If an attacker gets a DNS server to give an incorrect domain mapping once, it will stay in the server's cache for some time. The maximum time depends on the domain record's TTL (time to live) setting. The TTL is often hours long, allowing a lot of misdirections. Cache poisoning requires first finding some vulnerability to inject a false result once.

Denial-of-service attacks
On October 21, 2016, Dyn's DNS servers came under a heavy denial-of-service attack. As a result, many well-known websites were unavailable in much of North America for most of the day. This technique is effectively a denial-of-service attack on multiple sites at once. DNS requests timed out, so people weren't able to reach the websites.

A botnet floods the DNS server with so many requests that it can't keep up. One common technique is to query non-existent domains, such as xrrqxpq5511[dot]com. Each request is for a different domain, so the server can't cache its results. A variant is to ask for nonexistent subdomains, like rr824mw1[dot]facebook[dot]com. A third trick is to use malformed queries that create an extra processing burden for the server.

Domain hijacking
The most dangerous DNS attack is one that alters or grabs control of a domain's registry records. This can redirect clients for days or more. It's the legitimate owner's job to get the records fixed or challenge the reassignment of ownership.

Short of taking ownership of the whole domain, an attacker can change its DNS records so that they point to a malicious domain name server. It will return a different IP address for the domain, one hosting a site that impersonates the real one, effectively stealing your traffic. It can use any number of tricks to get visitors' passwords or to deliver malware, stealing private information from the computer, and damaging the system.
Defenses against DNS attacks
Since DNS attacks are indirect, defending against them is difficult. Taking certain precautions will help significantly, though.

Using HTTPS for all pages on the server will make life difficult for impersonators. The fake site won't have the domain's SSL certificate, and users will get unmistakable warning messages when they access it. This protection isn't absolute; domain hijackers can obtain a new certificate for the domain, just as someone who legitimately bought it would be able to. However, it keeps spoofing and DNS record alteration from fooling people.

All the internal links in a site should be HTTPS. If users access a page as HTTP and get redirected to HTTPS, the site isn't nearly as well protected.

Having more than one domain server will help against DDoS attacks at the DNS level. Unless the attack hits both DNS servers at the same time, at least some users will be able to get through.

A short TTL in a domain's DNS records will mean a smaller time window for cache poisoning. If it's too short, though, it will force more queries to go up the DNS server chain, slowing down access. It's a matter of striking a balance.
Monitoring for DNS protection
A monitoring service, such as ThreatSign, guards against DNS attacks and many other threats, providing increased eCommerce and website security. If the site stops responding to DNS, or if some other server takes over its domain mapping, ThreatSign will quickly detect that something is wrong. The system may be down or the DNS hijacked, but either way quick action is imperative.

The amount of damage from a DNS attack depends on how long it takes to notice and correct the situation. Monitoring of the site will make any DNS issues evident very quickly. It will confirm whether recovery procedures have worked or not. All websites, large or small, need to pay attention to DNS issues and be able to respond to them quickly.