- Get link
- X
- Other Apps
Surfing the internet is an absolutely common activity. We don't even think much: write what you're looking for in the browser and it does the rest of the work. This is possible thanks to the Domain Name System (DNS).
He is responsible for translating existing domain names to their respective Internet Protocol (IP) addresses. Despite being so powerful, the DNS has many vulnerabilities - mainly due to configuration errors.
10 DNS Attacks Company Must Know
There are many types of DNS attacks and they target thousands of companies and systems around the world on a daily basis. Read on to find out more about the threats he may suffer and how to prevent them. Good reading!
1. Distributed Reflection DoS (DRDoS) attack
Imagine several false queries - created to provoke a very large response - being sent to several open recursive servers. This is how this attack works, using third-party resolvers or authoritative DNS servers (who become unwitting accomplices).
Powerful, its damage hits servers en masse: multiple machines are used at the same time to create hundreds or thousands of gigabits of traffic per second.
2. Cache poisoning (DNS Poisoning)
This scam uses malicious code that intercepts and redirects requests made by the user. They are then sent to a page controlled by the criminal. There, the user is prompted to enter confidential information (number of documents, credit cards, logins, and passwords, among others).
Despite being a simple scam, it can do a lot of damage: if the user is trying to enter your bank's website, for example, it is possible that the page data is in the cache (the temporary memory that makes browsing faster). As the information on the page will be the same, it will be difficult to understand the trap.
3. SYN flood (Syn Flood)
The idea is to cause a direct overload in the transport layer and an indirect one in the application layer. For this, the scammer sends a sequence of SYN requests to the system. When the server receives the client's request, they exchange three messages (the 3-way handshake).
Since the protocol is wrong and incomplete, the last message does not arrive and is replaced by the fake SYN packet. Thus, the connection queue is full or the software licensed per connection is used (which increases the number of active connections). Since the server is unable to process all connections, it stops responding to new requests from legitimate users.
4. DNS hijacking (DNS Hijacking)
When attempting to enter a legitimate website, the user is redirected to a fake address - whose domain registration information has been set to point to a fake or attacking DNS server.
Widely used by malware on computers and, in the case of home networks, directly on routers, it presents a website very similar to the real one, but which is controlled by the scammer in order to obtain logins, passwords, and other data.
5. Basic NX domain
In this type of attack, the main actors are nonexistent domain names (the NX domains). The attacker sends several queries to the DNS server to resolve them, and while the recursive server tries to locate them (but fails), the cache is filled with NX domain results.
When the cache becomes full, name resolution requires more machine resources, which increases the response time for legitimate requests to the DNS server.
6. Ghost domain
In this attack, several ghost domains are configured and the DNS is forced to resolve them. Since they do not respond - or do so very slowly - the server consumes resources while waiting for responses, and this inevitably leads to degraded performance or to failure of pending queries.
7. DNS Tunneling (DNS Tunneling)
This technique uses DNS to hide communication and bypass the firewall in order to obtain internal data from a network. The attacker can then extract information or insert new code into existing malware. It is also used to bypass captive portals and thus avoid paying for Wi-Fi services.
8. Random subdomain
This scam causes extreme slowness in the affected authoritative server. This is because the criminal sends too many queries to the DNS with requests for non-existent, randomly generated domains. The recursive DNS server is waiting for the authoritative responses, but as they do not come, the limit of pending queries is exhausted.
9. Domain lock-up
When interacting with DNS resolvers, domains send random packets to keep them busy. This process is done deliberately slowly to keep resolvers involved while responding to requests. Thus, its resources are blocked and end up being exhausted because the DNS resolver is trying to establish these connections with inappropriate domains.
10. DNS amplification
The attacker infiltrates the DNS and, from there, sends requests to the servers using a forged IP (the victim's). It is a Distributed Denial of Service (DDoS) attack and the servers start responding directly to the fake client. On a large scale, such an attack can bring down servers.
How to Protect Your DNS
The protection of the DNS system depends on a set of solutions and practices that vary from company to company. To begin, it is important to check the default settings for the firewall and router and then to enforce them. Learn about other actions that can help:
Updated systems
It is essential that all software (including antivirus software) and operating systems related to the DNS service are kept up to date and have all security fixes applied.
Domain account
It is important to enable the token (two-factor authentication) and generate security codes. Some management companies even allow DNS changes to be locked and access to the administrative panel for some IPs to be blocked.
DNSSEC
To have an extra layer of security for DNS, it is essential to enable DNSSEC. This reduces the risk of manipulating data and information, as it guarantees authenticity and integrity to the system when verifying the signature of the records made by public keys.
Access Control List (ACL)
Some DNS software allows you to use ACL to block or limit access by IP. If this configuration is available, it is important to use it.
Infrastructure
One way to prevent the recursive server from being compromised is to separate the features of the recursive servers from those of the authoritative ones. It is also advisable to block the DNS output on the firewall so that only the recursive server can connect externally.
Comments
Post a Comment