Don’t Forget DNS Server Security
Posted on March 17, 2014 by Kara Dunlap in Security
Late last August, some visitors to the New York Times website received an unexpected surprise – the website was down.
The source of the interruption was not a power outage or even a denial-of-service attack. Instead, it was a battle against a DNS hijacking attempt believed to be connected to hacktivsts with the Syrian Electronic Army.
The attack was one of several in 2013 that focused on DNS (domain name system) infrastructure, and security experts don’t expect this year to be all that different – meaning organizations need to stay aware of DNS security threats.
Just last month, domain registrar and hosting provider Namecheap was hit with a distributed denial-of-service (DDoS) attack targeting its DNS platform that impacted roughly 300 sites. Beyond DDoS, attackers can also compromise a ame server and redirect DNS queries to a name server under their control.
“DNS providers are often targets of attack because they are a central point for disrupting all services, web, mail, chat, etc. for an organization,” said Michael Hamelin, lead X-Force security architect at IBM. “The DNS server is the roadmap for the Internet, and once disrupted, services that are the lifeblood of the organization such as web, mail, and chat become inaccessible. If a DNS provider goes down, it could mean that thousands of customers have their digital presence temporarily erased.”
In the case of the New York Times, the attack that affected their users occurred when someone accessed a reseller account on Melbourne IT’s systems and changed the DNS records for nytimes.com as well as other domain names such as twitter.co.uk. This kind of password theft can have far-reaching implications, said Hamelin, who recommended DNS providers use two-factor authentication and “enable a restricted IP block requiring all edits to be made internally on the network.”
“Organizations need to understand that just because they have outsourced their hosting and DNS, it doesn’t mean that they’re guaranteed that the vendor has taken adequate security precautions to provide a highly available and secure service,” he said. “The organization needs to anticipate their DNS may become a target of an attack, and implement countermeasures such using two different DNS systems and/or hosting providers.”
By its very nature, DNS is one of the weaker links in many infrastructures, said Vann Abernethy, senior product manager at NSFOCUS, adding that the company had seen an increase in both DDoS attacks on DNS infrastructure last year as well as the use of DNS to amplify traffic. Juxtaposed with the critical nature of its operation, its status as a weak link makes it an enticing target for attacks, he said.
“There are quite a few variants of DDoS attacks that can be executed against DNS servers, such as DNS Query Flood – a resource consumption attack aimed at a single infrastructure,” Abernethy said. “And there are new ones cropping up as well.”
Among those is a technique similar to a DNS amplification attack that relies on the attacker sending a query with fake subdomains that the victim DNS server cannot resolve, flooding the DNS authoritative servers it must contact, he said.
Fortunately, there are a number of actions organizations can take to improve DNS security. For starters, don’t run open resolvers, advised Mark Beckett, vice president of marketing for DNS security vendor Secure64.
“Open resolvers allow anyone on the internet to query a DNS resolver, and are widely used by botnets to inflict damage,” he said. “[Also] don’t allow spoofed IP addresses to exit your network. Organizations should set egress filters so that only packets with IP addresses within their network address space are allowed to exit their network. This eliminates the ability of the attack to spoof any IP address that it wishes from an infected machine.”
He also suggested organization use rate limiting capabilities within their DNS server if possible, and monitor the network to detect any sudden spikes in DNS packet rates or inbound or outbound DNS traffic volume.
“Early detection of an attack can allow an organization to take defensive measures (like blocking attack traffic upstream at the router or firewall) before the attack is severe enough to impact their users or their network,” he said.
DNS-related attacks will continue to be a theme of 2014, Hamelin said, noting there aren’t a lot of steps in place to protect organizations from a hijacked DNS server or its clients.
“Attackers are focused on ROI [return on investment] and attacking a DNS server could be a great way to have a large impact with little effort,” he said.