The DNS, as you may know, is a really crucial component that, sadly, we often overlook. Don’t be one of those people, and please pay close attention to this article. There is not a single “good” DNS attack, but many DNS attacks types are really dangerous and have the purpose of exploiting various vulnerabilities and create serious problems. Let’s see the 5 most dangerous of them and, most importantly, find a way to protect ourselves. A safe business is good business.
What is a DNS attack? How can it affect me?
The name says it, an attack that targets the domain name system. It can have a different purpose: trying to destabilize it, bring it down, alter information, or another. The DNS is old, and, as you could guess, by itself, it is not the safest infrastructure in the world. But there are extra measures that can really help.
Imagine these two scenarios so you can understand it easier:
- The cybercriminal redirects the traffic that should go to your site, to one that he or she controls. He or she can have a fake page, mimicking yours and steal valuable data from your clients, pretending to be you. The unaware client, do what he normally does. Register and use the page to buy or put information on it. The troubles for you could be big if they take money from the victims.
- A strong DDoS attack can affect your servers, bringing them down. And keep them like this, under attack, for a long time. In practice, an attack can last even weeks. Losing control can affect your clients. Users won’t be able to access and use your services or buy products during the DNS attack. You can lose money and get negative feedback from clients. You can even permanently lose them.
Anybody could be threatened by DNS attacks, even the big companies. Wikipedia, BBC, Blizzard, and many more have suffered different types of attacks, check HERE . Nobody is safe, and the news will just keep coming.
DNS Attacks Types to consider:
· DDoS Amplification
· DNS Cache Poisoning a.k.a DNS Spoofing
· DNS Tunneling
· DNS Flood Attack
A DNS attack type like this is the one that you will see a lot on the media. With big headlines and big numbers. There are many types, but most often, the amplification attacks exploit the simple UDP protocol. Take it as the weakest link in the puzzle. It doesn’t use verification, and here comes the problem. The goal is to significantly increase, amplify, traffic. The hackers send a small DNS query and demand not just the IP but also extra information, so the answer is more significant. It could be even 10 times larger! The extra trick is that they can modify the request, so the answer goes to the target. That way, the target can get bombarded with many requests that it didn’t want and to experience downtime.
How to mitigate it? You will need a large network of servers (DNS), like an Anycast network. If the capacity is enough, the traffic can be filtered without crippling the network.
Additional measures that you could take are to set a limit to the server, to just listen on only 127.0.0.1 (the localhost). You can, of course, disable the UDP altogether if you don’t use it.
And the third measure is to use a firewall for port 11211 and allowing server access, limited to just whitelisted IPs.
You can read more about Memcached DDoS attacks!
DNS Cache Poisoning
This DNS problem focuses on DNS resolvers. Each of them has a cache memory, where it holds information for domains for a certain amount of time. The Resolvers have a copy of the DNS records and keep them the time that TTL (time to live) indicates. The attacker alters the DNS records and redirects the traffic to where he or she wants (another server). There could be a fake copy of your websites where unaware people will register and give their personal data. This is very common with fake spoofing emails. When the victim clicks on the link, malicious software can then modify the records in the DNS resolver.
You can set limits to the queries to just a specific domain. Also, you can just store the records for a particular domain and no others. Use blacklists to limit.
The best tool to prevent such a thread is DNSSEC. If a Recursive server was poisoned, it wouldn’t continue the query, and then the user will be safe.
DNS Tunneling is a DNS attack type that tries to take different important data through DNS without been detected. A tunnel that you don’t see, but criminals use. It is masked as a DNS query but takes hidden data. A sensitive data can go out unnoticed, and that could cost you dearly.
Your DNS service must have a DNS Protection that acts as an intelligent firewall. But in case you don’t have, you can set up your firewall following the steps:
You will need to have a firewall and add an access rule to block all the unwanted traffic right away. The second step is to make a protocol object in your firewall. You will need to find “Select Protocols”, choose DNS, and there should be “DNS tunnel”. Press it and save.
Create, in the end, an application rule. Again from the settings of the firewall, You will need to specify the trusted connection and then the protocol – “DNS-Tunneling”.
DNS Flood Attack
DNS Flood is a simple and very effective attack. The idea is to send traffic from one or many devices to the targeted server. Push with substantial traffic until it drops. In a way, to flood it with information and submerge it until it drowns. If it is a single source, it is easier to manage, but it can be a huge network of bots that could be tricky to handle.
The protection exists! It is simple, again DDoS Protected servers. It will have a filtering of dangerous traffic. Also, have an Anycast network with a significant amount of servers that will provide excellent load balancing. Currently, we have 33, that will be a good number. And traffic monitor for showing on time any threads and reacting to the traffic will help.
Distributed Reflection Denial of Service (DRDoS)
A slightly different type from the DDoS attack we just saw. In this case, not the direct queries, but the answers to them will go to the victim. This is the reflection.
The cybercriminals will send DNS queries, but the IP of the source will be changed. Servers will respond and will send all that traffic to the target (The modified IP). The traffic can be overwhelming and flood the target, eventually stopping it. A smurf attack is a popular DNS attack of that type. Sounds cute, but it isn’t.
The solution again is the same as the one for the DNS Flood type of attack. Get DNS Protected servers. With a proper DNS plan, you will save yourself a lot of troubles. They will have monitoring of the traffic, filters for removing the unwanted requests, a load balancer for heavy traffic, and even more extras for smooth DNS experience.
Motivation behind DNS attacks
One of the most common reasons behind the DNS attack is unfair competitor behavior. Attacking the competition illegally so that it can suffer downtime and all the consequences of it. But there are more:
Extortion. Do you know how ransomware is getting popular? There is also DNS attack ransomware, where the cybercriminals are using DDoS attacks to target a server. The server can’t respond to regular connections already, and the attackers demand a ransom to stop the attack. The cryptocurrency has facilitated the ransomware process a lot.
Revenge. The reason behind the attack could be an act of personal revenge against a company, a supplier, or an individual. For example, it is not uncommon that an ex-employee tries to disturb the services of the previous employer.
DDoS-for-hire. On the Dark Web, the side of the web that you can’t see in Google, there are all kinds of illegal services that you can hire. People hire DDoS DNS attacks to target their competitors. Bringing down their services during important periods. The attack can lead to serious losses in sales for the victim.
Cover attack. You can imagine the DNS attack as a smoke grenade. Its purpose could be just a distraction. It is taking the attention towards fixing the DNS traffic while another attack is being conducted or malicious software is installed behind the scene.
Notoriety. Some people want to be famous, even with their bad deeds. Getting some attention for a successful attack could be enough for some hackers.
Personal challenge. There are smart people who just want to test their knowledge. Such a person might perform an attack, with the only idea to see if he or she can do it.
Cyberwarfare. Some countries use DNS attacks to target other countries, military groups, separatists, opposition, and even media sites sometimes. The goal is to silence or disrupt the communication of the targeted organization entirely.
Gamers’ wars. Gamers are very connected with technology. They use DNS attacks to damage the score of their competitors so that they can rise above them. Also, they use it to attack particular competitions and change the final results.
Hacktivism. Non-governmental organizations and individuals who want to make a point often use such tools to make a noise about their cause. Freedom of speech and ecological causes are common. It could attract media attention, start an international debate and stop the services of the targeted organization.
It is really important to know about DNS attacks types and how to protect us from them so your business experience fewer shocks. Smooth sail for your business. You don’t want to suffer brand damages, law sues that cost millions of dollars or losing clients because of downtime.
ClouDNS wants to help you with that offering outstanding DDoS Protected services. Our DNS network can withstand strong attacks and keep your servers up. You can also benefit from the DNSSEC feature, which adds an extra layer of security to the DNS, preventing spoofing attacks. Please go and check them now! Stay safe!