Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/10/2018
10:00 AM
50%
50%

7 Ways to Keep DNS Safe

A DNS attack can have an outsize impact on the targeted organization - or organizations. Here's how to make hackers' lives much more difficult.
Previous
1 of 8
Next

The Domain Name System (DNS) has long been a favored target for threat actors looking to disrupt victims. Whether criminals are looking to use DNS to misdirect traffic in order to steal information, gain access, or launch attacks that deny access to a victim's resources, it is a critical link that can become a huge vulnerability.

DNS vulnerability was put under the spotlight in the Mirai attack on the DynDNS service in 2016. In that case, attacking a single DNS source had an impact on scores of major organizations. And that's one of the great attractions DNS has as a target: Disrupting DNS can have an outsize impact on the organization (or organizations) hit by an attack.

Other qualities make DNS a favorite tool for hackers. Because the information returned is considerably larger than the query, and DNS is a service that nearly every firewall will allow to pass, DNS servers make useful amplification tools in DDoS attacks. That usefulness means DNS servers and services need to be protected in two different dimensions.

First, DNS must be protected so that it continues to resolve names consistently and correctly for the organization it serves. Next, it must be protected so that it can't be used as a weapon against other organizations and individuals. Many of the steps to protect one will protect the other, but some defensive mechanisms focus on one aspect or the other.

Many of the protective steps on this list can be taken without rushing out to buy new networking hardware. The question for many organizations will be how to prioritize defensive steps and ensure that all the steps taken work in harmony to protect an organization's network, applications, and users.

(Image: GrAI VIA SHUTTERSTOCK)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidredekop
50%
50%
davidredekop,
User Rank: Apprentice
7/12/2018 | 10:56:21 PM
What if everybody did it
Curtis, I always enjoy watching you on TWIET, thanks for this article. Well thought out!

Your tweet asked "What would you add to the list?" on your tweet. I'd add that a very simple but powerful technique is to force DNS to an on-premise service. It's technically hijacking, but with a positive outcome. You don't allow any endpoints to make Internet-bound DNS queries but instead force them to use local DNS server(s). The designated servers are the only ones able to make recursive or upstream queries.

This has the simple effect of *preventing* participation in any DNS reflection attack. We do this as a basic standard at www.adamnet.works for all of our products.

By the way, the same thing should be done for NTP since it's also a very common protocol used by endpoints and abused for UDP reflection attacks.

Hijacking NTP and DNS, if it were done as a basic standard on Internet exit points, would disable all future reflection attacks attempting to use those protocols and their respective public servers.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
7/10/2018 | 4:02:11 PM
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole
I read a great paper titled "Efficient Malicious Packet Capture Through Advanced DNS Sinkhole" (Hyun Mi Jung, Haeng Gon Lee, Jang Won Choi). It caught my eye by stating in the Abstract that among the current botnet countermeasures, "DNS sinkhole is known as the best practice in the world."

Like anything that is based on the collection and analysis of data, however, it seems that, to be most effective, one might have to get hardware to cope with the overhead, which would go against the idea in this article that you won't have to run out and start spending money for hardware. That overhead comes from critical elements in this model, though, that make it ideal and useful to both the whole InfoSec community and organizations looking to be more proactive in their security planning.

In brief, as described by this paper, you'd have a combination of systems that monitor, analyze and detect, then re-direct as necessary. So, if an organization has a PC that is infected by a malicious bot in a target security control agency AND initializes a connection to a command and control (C&C) system (the malicious controller of the bot), that traffic is detected as part of the monitored traffic at the target organization, and then redirected to a DNS sinkhole server rather than the real DNS server. The catch is the incoming traffic has to be recognized as part of a malicious domain (or identified as one realtime with AI support and access to a database of profiles such as this project collects). When those queries go to the sinkhole server {in this paper's model, at least), they are routed through the Korea Research Environment Open NETwork (KREONET) and the target organization's Threat Management System (TMS). The point of this is to collect all the traffic from the zombie PC with the bot into a log to better understand its purpose, collect intel on the bot and develop a profile of the attacker.

Sinkholes have been used to help thwart WannaCry and Avalanche threats. I'm not sure how sophisticated those sinkholes were, but as defined in this paper, probably not every organization could implement such an architecture. But as malicious bots, whether stationed on remote web servers or installed via malware on PCs, become rampant, this model of redirection and analysis, and ideally data sharing among the InfoSec community, is more crucial than ever to keep threats minimized and to better arm the InfoSec community as a whole.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.