A cybercriminal’s guide to exploiting DNS
By Ken Pohniman February 1, 2016
- Without DNS, the Internet stops working like it should
- And that’s great news for some people
MOST people with online connections are happy using the Internet for ‘traditional’ applications: Sending email; watching videos; buying books; or keeping up with friends and family.
But for the elite group of cybercriminals, hackers and other Internet super-users, the Web has much more to offer. For them, the Internet is nothing less than a vast collection of vulnerabilities waiting to be tapped.
Enterprising Web cybercriminals understand and exploit the Domain Name System (DNS). DNS represents the absolute cutting edge in what might be politely described as ‘Web vulnerability entrepreneurship.’
It’s where the best and the brightest, not to mention the best and the baddest, are spending their time.
While other forms of vulnerability utilization have been declining due to increased ‘awareness’ by security software providers and others, DNS-based exploits are on the rise, up 200% from 2012 and 2013, according to one study, faster than any other category.
DNS is now the second-most-common vector of Internet exploits, behind only the venerable HTTP.
Cybercriminals are experts at DNS, and can exploit DNS because most people do not fully understand it yet.
The first step towards mitigating DNS attacks is by understanding it.
The Internet’s ‘Directory Assistance’
Remember ‘directory assistance’ for the telephone system, when it was controlled by the phone company?
Imagine the havoc you could have wreaked if you seized control of it. You could have given out your own phone number to anyone who wanted the number of a competitor. Or, you could tell the operators to give the same number to everybody, regardless of what number they asked for, effectively putting that phone out of commission.
That’s essentially what cybercriminals are able to do with the DNS. DNS provides the numerical Internet Protocol (IP) address of a server to someone who only knows the server’s domain name. It’s the Web equivalent of looking up a phone number.
There are many different kinds of DNS servers. Some will answer queries from just about anyone; others will only talk to a small number of other machines. Some are high-end devices operated by elite Internet service providers (ISPs). Others are run by businesses in connection with their Web operations.
As with everything else on the Web, some of these servers are going to be less carefully maintained than others, and thus much more easily exploitable.
In the belly of the beast
There are dozens of DNS attacks to choose from, with new ones being added all the time, and traditional ones improved to preserve or increase their effectiveness.
Here are overviews of the two most common DNS attacks: Cache poisoning, and DNS amplification and reflection.
They either re-route ‘legitimate’ Internet traffic to servers that they can control, or they flood servers with so much traffic that the websites of the targets are effectively taken offline.
What cybercriminals do next is limited only by their ‘entrepreneurial’ imagination.
Cache poisoning is the functional equivalent of getting a directory assistance operator to give out phone numbers of the cybercriminal’s choice.
Cybercriminals substitute the real IP address of a website with an IP address of their choosing – presumably a server they can control.
This is one of the most popular DNS attacks, and the new methods for cache poisoning are being invented all the time.
With cache poisoning, cybercriminals can design the ‘fake’ page to be anything they want it to be. It can convey a message, or, with a little bit of extra work, it can look exactly like the homepage for, say, a bank – asking for a username and password which it will promptly collect.
Cache poisoning is a good example of how DNS exploits have evolved over time to escape detection and thus make the exploits even more powerful.
DNS amplification and reflection
A Denial of Service attack can be done the hard way or the easy way. The hard way might be to painstakingly assemble a huge botnet of infected computers, and then have each machine send some sort of traffic to the targeted website.
The easy way is to let DNS do the work for the cybercriminals. This is what happens with DNS amplification and reflection.
In a ‘normal’ DNS request, users tell a DNS server two things: The name of the web server they need an address for, and the IP address to send the information to – which would normally be the user’s IP address.
In a DNS amplification exploit, small changes are made to both of those items, and the results can be dramatic.
Once you’ve tricked the DNS server into sending out more information than it usually does, you’ve also tricked it into sending all that data to another website.
A little imagination should show how devastating the combination should be.
A final note
It should be obvious by now that DNS attacks are relatively simple to carry out, and have the potential for giving cybercriminals superhero powers to disrupt targeted websites.
DNS attacks are a rapidly evolving field, and approaches that are popular today might not be effective tomorrow.
For cybercriminals, it’s always possible that effective ‘security’ products will drastically reduce, or even eliminate, DNS attacks. But until that occurs, we are living in something of a Golden Age for DNS attacks.
Ken Pohniman is Asean general manager at Internet/ networking technology company Infoblox.
Infoblox tackles DNS security, eyes Malaysian market
In today’s BYOD world, securing the DNS is crucial
Malaysian sites hit by DNS poisoning
DNS hijacking: Government needs to step in
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.