The DNS Attacks We’re Still Seeing
- by nlqip
When this happens, customers are seeing lots of DNS queries from a wide variety of never-seen-before addresses. Often these requests are for nonsensical domains or even ‘localhost’ addresses, as they are bot-generated as with the DNS water torture attack. Sometimes attackers will use large Internet DNS resolvers like Yahoo or Google to reflect their attacks off of, so the source addresses may originate there.
If the DNS requests that are clogging up your Internet connections aren’t landing on live addresses, you may see returning ICMP Destination Unreachable messages bouncing back out from your network, which also add to the traffic jam. In these kinds of attacks, the DNS reflection attack acts like a network-volumetric DDoS, designed to fill up your pipes with traffic rather than targeting a specific service or host.
What you can do about it
As mentioned before, preparing your response to a denial-of-service attack is prudent for any organization that depends on the Internet (which is most). It’s also important not to be part of the problem. You should make sure that you don’t have any Internet-accessible resources that could be used in a reflective DDoS attack. This includes DNS resolvers, but can also include any service that accepts unrestricted spoofable traffic from untrusted sources like memcached servers, or services like Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), or Character Generator Protocol (CharGEN).2
Expired Domain Takeovers and Redirection
Several customers reported attacks where some of their sites suddenly began redirecting to strange, disreputable websites. A normal landing page or e-commerce site had become an advertising page for gambling sites, a fake shopping site, or even a malware drive-by page. An attacker had registered the customer’s old, expired domain name and put up bogus sites to hijack the normal customer traffic. Since many of these sites already had large numbers of visitors, this was a semi-legitimate way for scammers to scoop up free website traffic.
Unfortunately, what the attackers did with the traffic was far from legitimate. Users of the original domain were served up annoying advertisements, scam messages, click-fraud sites, or malware. In worse cases, scammers have been known to put up imposter versions of the original site to steal the login credentials or payment cards of the customers3
What you can do about it
One of the reasons this happens is that organizations lose track of the domains they own and when they expire. Ownership of the domain inventory process should be centralized to a single team or role, and the responsibility assigned to track and manage renewals. Strong authentication and the principle of least privilege should also be exercised over domain ownership. When domains are ready to be retired, there should be a planned de-platforming process which can involve forwarding to the new domain for some time period until all users are migrated.
Outbound DNS from Compromised Internal Machines
Some customers contacted the F5 SIRT because they were seeing unusual outbound DNS traffic from their internal network. Investigation revealed it to be originating from compromised workstations and servers.
Let’s face it, malware and hacks are going to happen. Detecting and responding on unusual outbound activity is exactly what we want to happen. And as quickly as possible. These customers did the right thing and were able to contain and mitigate a bad situation before it escalated into something far worse.
What you can do about it
Like those customers above, it’s essential to keep a close eye on unusual outbound traffic, whether it’s DNS or otherwise. Attackers will try to hide their tracks by exfiltrating data and commands in a variety of ways, including DNS as it’s so ubiquitous and innocuous. Another common exfiltration method to sneak out is to hide attacker command and control traffic inside TLS/SSL conversations. Without an SSL decryption solution, the victim may never see what’s going on, just a machine web surfing via HTTPS, but not what’s going on inside.
Stay Vigilant
DNS security is still an existential threat to Internet services. Therefore, it is something that needs attention and protection. These are the current common DNS attacks that we’re seeing, so you should make sure your IT and security teams are well-informed about them. Remember how DNS works and that there are three major components that need to be appraised by security: DNS servers, domain name ownership, and DNS client traffic. Attackers know these are critical weak spots that don’t get enough scrutiny. Be ready for them.
Source link
lol
When this happens, customers are seeing lots of DNS queries from a wide variety of never-seen-before addresses. Often these requests are for nonsensical domains or even ‘localhost’ addresses, as they are bot-generated as with the DNS water torture attack. Sometimes attackers will use large Internet DNS resolvers like Yahoo or Google to reflect their attacks…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’