Since 2012, the number of infrastructure attacks on the domain name system (DNS) has increased by over 200%. Yet despite this rise, many businesses still aren’t doing enough to secure a critical component of their IT infrastructure.
A 2014 survey on IT infrastructure security found that more than a quarter of companies had not established formal responsibility for DNS security. The reaction of both the media and consumers to the high-profile attacks witnessed in 2014, such as those on Target and JP Morgan, has shown companies will not be easily forgiven when a hack occurs – especially if certain security measures could have prevented the attack.
With the ever-increasing rise in distributed denial of service (DDoS) attacks on DNS, companies not taking measures to secure their DNS will appear negligent.
>See also: The 2015 cyber security roadmap
DNS is easy to exploit, and organisations need to understand that they have little choice but to work around its weaknesses. In its 2014 Annual Security Report, Cisco found that all the corporate networks examined showed evidence of having been compromised. 96% showed traffic to hijacked servers and 92% revealed traffic to sites without any content, typically a sign of malware hosting.
It is clear that DNS-based DDoS attacks are not only a growing threat, but also one that’s being overlooked. DNS security should be considered a priority given these increasing risks. Knowledge is key, and businesses need to understand how these attacks work if they want to protect themselves.
Understanding DDoS attacks
It’s surprisingly, and worryingly, simple to generate a DDoS attack using an organisation’s DNS infrastructure. Hackers hijack the system to send queries to name servers across the Internet from a spoof IP address of their target (this is as simple and effective as writing someone else’s return address on a postcard). The name servers then, in turn, send back responses.
If these responses were around the same size as the queries themselves, this wouldn’t in itself be enough to wreak the desired havoc on the target. To inflict the maximum damage, the query needs to be amplified so it returns the largest possible response. And this has become much simpler since the adoption of DNS security extensions (DNSSEC).
Following the introduction of the set of extensions known as EDNS0 in 1999 UDP-based DNS messages (DNS messages which use Internet Protocol (IP) to get data from one computer to another) have been able to carry greater amounts of data. Whilst most queries are under 100 bytes, the responses can be significantly larger, anywhere up to 4,096 bytes. Responses of this size were once a rare occurrence in the internet’s namespace, but digital signatures and cryptographic keys stored by DNSSEC in the namespace are now commonplace and massive.
To see the extent to which these amplified responses can be used as an effective DDoS attack, consider a query of just 44 bytes. This single query, if sent from a spoofed IP address to a domain containing DNSSEC records, could generate a response of over 4,000 bytes. Using a botnet of thousands of computers, and recruiting 10 fellow comrades, could deliver 1Gbps of replies to incapacitate the target.
Thankfully most name servers can be modified to recognise when they’re being repeatedly queried for the same information from the same IP address.
However, it’s a different story for open recursive servers, of which there are estimated to be 33 million around the world. These will continually accept the same query from the same spoofed IP address, each time sending back responses as discussed in the DNSSEC examples previously mentioned.
Knowledge is the key
Of all the steps that companies can take to protect themselves from such attacks, the first and probably the most important is learning to recognise just when a DDoS attack is taking place.
Many organisations don’t know what their query load is, let alone when they’re under attack. With the statistics support built into the DNS software BIND, administrators are able to analyse their data for socket errors, query rates, and other attack indicators. Whilst it may not be clear exactly what the attack looks like, by monitoring the DNS statistics it is possible to get an understanding of what the trends are, so anomalies can be more easily identified.
It’s also important to scrutinise an organisation’s internet-facing infrastructure for single points of failure. This should not only be in external authoritative name servers, but also in the firewalls, switch and router interactions, and connections to the Internet. Once these vulnerabilities have been identified, the question is whether these can be cost-effectively and easily eliminated.
Also, wherever possible, external authoritative name servers should be broadly geographically distributed. This will not only help avoid single points of failure, but will also improve the response time performance for the closest customers.
Another easy step is overprovisioning existing infrastructure, which is both inexpensive and easy to trial prior to an attack. This helps mitigate the massive number of responses resulting from a DDoS attack. But has the consequence of potentially making you a better ‘amplifier’ for attacks on a third party. Therefore an approach that enables your DNS servers to continue to serve legitimate traffic whilst identifying and intelligently limiting rouge traffic may be a better approach.
The ever-increasing threat posed to DNS means that priority must be given to learning about and implementing preventative measures to mitigate the threat. Understanding how DDoS attacks exploit DNS servers is the first step to reducing an organisation’s threat level. Formally assigning responsibility for DNS security and taking steps to understand typical query loads are both relatively simple tasks that will help reduce exposure to DNS attacks. With attacks on DNS increasing at an alarming rate, businesses that fail to act will be vulnerable.
Sourced from Chris Marrison, Infoblox