The DNS is quite robust but it was designed for usability, without considering security due to which it often catch the attention of cyber hackers. Over the past years, world witnessed few of the powerful attack targeting DNS. There are numerous DNS attacks which are quite complex most of them take advantage of the communication back and forth between clients and servers.
In the previous article, I discussed the attack that exploits the working of DNS servers. In this, I am going to elaborate attack that targets the network layer.
Network layer attacks also know as layer 3 and 4 attacks. These are usually carried in high volume, they target entire infrastructure aiming to cut the victim’s network from accessing the internet, including DNS servers. These attacks require a lot of capacity to mitigate, in addition to the right technology and expertise. Attacker target port 53 through a rigorous bombardment of TCP/UDP packets. Attack vectors in this category include UDP flood, SYN flood, DNS amplification attacks, and more. Most attacks in this category flood victim with packets exhausting their bandwidth, CPU utilization , memory , buffers and other vital resources. Popularly known as a denial of service making victim inaccessible cutting it out from its users.
When attackers use army of bots to carry out DoS on target it's called Distributed DoS (DDoS). DDoS attacks are almost always high traffic events powerful enough to produces 1 TBPS traffic as used by Mirai Bots in the recent attack against Dyn, a DNS service provider. Here a large number of IP addresses destined with UDP and TCP packets targeted the port 53.
DDoS attacks are a major threat to the availability of the DNS network. DDoS attacks against recursive DNS servers may shut down DNS resolution regionally for a network such as an ISP or cable modem provider, where none of their users would be able to resolve domain names at all. These assaults can be used to prevent access to servers, also causing severe operational damages, such as account suspension and massive overage charges. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. Popular network attacks include :
UDP flood : The attacker overwhelms port 53 on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and finding none sends back a “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients.
TCP SYN : Popularly known as Syn-flood, it exploits packets from TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Attacker overload target with TCP connection requests faster than the targeted machine can process them, thus causing network saturation and eventually exhausting resources of the victim.
DNS amplification and reflection attacks : It uses DNS open resolvers to increase the volume of attacks and to hide the true source of an attack. As the open resolver responds queries from anyone asking a question. Attackers exploit them by sending DNS messages to the open resolvers using a forged source IP address that is the target for the attack.
In the month of October 2016, there was a one of the largest attack targeting DNS, that brought down much of America’s internet for few hours. It was caused by a new weapon called the Mirai botnet that targeted Dyn, a major DNS service provider. It is believed to be the combination of both two types of attacks, the DNS-specific and network layer attack. In the previous article I have discussed the Mirai the IoT botnet and the vulnerability in IoT that helped attackers in carrying out DDoS attack, that was powerful enough to generate traffic with peaks of over one terabyte per second (1 TBps).
DNS-based attacks are on the rise because many organizations don't realize DNS is a threat vector and therefore don't protect it. To lessen the chance of a DNS attack, server administrators should use the latest version of DNS software packets also need of deep packet inspection of incoming traffic at the application layer. Traffic should be consistently monitored and configure servers to duplicate, separate and isolate the various DNS functions.
Authored By – Shefali Singh
TCS Enterprise Security and Risk Management
Rate this article: