Operations

7/10/2018
10:00 AM
50%
50%

7 Ways to Keep DNS Safe

A DNS attack can have an outsize impact on the targeted organization - or organizations. Here's how to make hackers' lives much more difficult.
Previous
1 of 8
Next

The Domain Name System (DNS) has long been a favored target for threat actors looking to disrupt victims. Whether criminals are looking to use DNS to misdirect traffic in order to steal information, gain access, or launch attacks that deny access to a victim's resources, it is a critical link that can become a huge vulnerability.

DNS vulnerability was put under the spotlight in the Mirai attack on the DynDNS service in 2016. In that case, attacking a single DNS source had an impact on scores of major organizations. And that's one of the great attractions DNS has as a target: Disrupting DNS can have an outsize impact on the organization (or organizations) hit by an attack.

Other qualities make DNS a favorite tool for hackers. Because the information returned is considerably larger than the query, and DNS is a service that nearly every firewall will allow to pass, DNS servers make useful amplification tools in DDoS attacks. That usefulness means DNS servers and services need to be protected in two different dimensions.

First, DNS must be protected so that it continues to resolve names consistently and correctly for the organization it serves. Next, it must be protected so that it can't be used as a weapon against other organizations and individuals. Many of the steps to protect one will protect the other, but some defensive mechanisms focus on one aspect or the other.

Many of the protective steps on this list can be taken without rushing out to buy new networking hardware. The question for many organizations will be how to prioritize defensive steps and ensure that all the steps taken work in harmony to protect an organization's network, applications, and users.

(Image: GrAI VIA SHUTTERSTOCK)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidredekop
50%
50%
davidredekop,
User Rank: Apprentice
7/12/2018 | 10:56:21 PM
What if everybody did it
Curtis, I always enjoy watching you on TWIET, thanks for this article. Well thought out!

Your tweet asked "What would you add to the list?" on your tweet. I'd add that a very simple but powerful technique is to force DNS to an on-premise service. It's technically hijacking, but with a positive outcome. You don't allow any endpoints to make Internet-bound DNS queries but instead force them to use local DNS server(s). The designated servers are the only ones able to make recursive or upstream queries.

This has the simple effect of *preventing* participation in any DNS reflection attack. We do this as a basic standard at www.adamnet.works for all of our products.

By the way, the same thing should be done for NTP since it's also a very common protocol used by endpoints and abused for UDP reflection attacks.

Hijacking NTP and DNS, if it were done as a basic standard on Internet exit points, would disable all future reflection attacks attempting to use those protocols and their respective public servers.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/10/2018 | 4:02:11 PM
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole
I read a great paper titled "Efficient Malicious Packet Capture Through Advanced DNS Sinkhole" (Hyun Mi Jung, Haeng Gon Lee, Jang Won Choi). It caught my eye by stating in the Abstract that among the current botnet countermeasures, "DNS sinkhole is known as the best practice in the world."

Like anything that is based on the collection and analysis of data, however, it seems that, to be most effective, one might have to get hardware to cope with the overhead, which would go against the idea in this article that you won't have to run out and start spending money for hardware. That overhead comes from critical elements in this model, though, that make it ideal and useful to both the whole InfoSec community and organizations looking to be more proactive in their security planning.

In brief, as described by this paper, you'd have a combination of systems that monitor, analyze and detect, then re-direct as necessary. So, if an organization has a PC that is infected by a malicious bot in a target security control agency AND initializes a connection to a command and control (C&C) system (the malicious controller of the bot), that traffic is detected as part of the monitored traffic at the target organization, and then redirected to a DNS sinkhole server rather than the real DNS server. The catch is the incoming traffic has to be recognized as part of a malicious domain (or identified as one realtime with AI support and access to a database of profiles such as this project collects). When those queries go to the sinkhole server {in this paper's model, at least), they are routed through the Korea Research Environment Open NETwork (KREONET) and the target organization's Threat Management System (TMS). The point of this is to collect all the traffic from the zombie PC with the bot into a log to better understand its purpose, collect intel on the bot and develop a profile of the attacker.

Sinkholes have been used to help thwart WannaCry and Avalanche threats. I'm not sure how sophisticated those sinkholes were, but as defined in this paper, probably not every organization could implement such an architecture. But as malicious bots, whether stationed on remote web servers or installed via malware on PCs, become rampant, this model of redirection and analysis, and ideally data sharing among the InfoSec community, is more crucial than ever to keep threats minimized and to better arm the InfoSec community as a whole.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3965
PUBLISHED: 2019-03-23
Hospira Symbiq Infusion System 3.13 and earlier allows remote authenticated users to trigger "unanticipated operations" by leveraging "elevated privileges" for an unspecified call to an incorrectly exposed function.
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...