Attacks on DNS servers

What the DNS attacks are dangerous by

Attacks to DNS can be separated into two categories conditionally.

The first category is attacks on vulnerabilities in DNS servers. The following dangers are connected with these subspecies of the attacks:

• First, as a result of the DNS attacks the user risks not to get on the necessary page. When entering the website address the attacked DNS will redirect a request for false pages.
• Secondly, as a result of transition of the user to the false IP address the hacker can get access to its personal information. At the same time the user will not even suspect that his information is declassified.

The second category is the DDoS attacks resulting in nonserviceability of the DNS server. At unavailability of the DNS server the user will not be able to get on the page necessary to it as his browser will not be able to find the IP address corresponding to the entered website address. DDoS attacks on DNS servers can be performed both at the expense of the low capacity of the DNS server, and at the expense of the insufficient width of a communication channel. Potentially DDoS attacks of the second type can have power to 70 Gbps when using the technician like DNS Amplification and so forth.

Incidents

From the report of Radware (2013) Global report on security of networks and applications

In October, 2002 unknown tried "zadedosit" 10 of 13 DNS servers of the top level.

In December, 2009 because of substitution of DNS record within an hour the Twitter service was unavailable to users. The action had political character, and instead of the interface of social network on the homepage of a resource cautions of the Iranian hackers concerning the American aggression were displayed.

In 2009, malefactors tried to break operation of at least two root DNS servers.

2012 was year of the DNS attacks. Though the DNS attacks are known for a long time, for 2012 they arose much more often normal, and that is more important, – they became more sophisticated and involve more serious effects.

Why the popularity of the DNS attacks increased? The answer can be found, having studied the recent history of the DoS/DDoS-attacks. Though the DoS/DDoS-attacks appeared along with emergence of the Internet, they took the leading position among the attacks from the second half 2010, in particular since the Anonymous group selected them as the main method of attack. In the beginning the organizations were not ready to protection at all, and any attacks of malefactors achieved the goal.

Provision changed by the end of 2011 when the organizations began to implement the systems of reflection for DoS/DDoS counteraction to the attacks that induced malefactors to look for ways of a bypass of the protective systems, using more sophisticated vectors of the attacks. At such state of affairs the DNS server became the suitable purpose. Having studied information on the attacks for 2012, it is possible to note growth of number of the DNS attacks on 170% in comparison with 2011. Nearly a half consists of the sophisticated attacks using reflection of requests or recursive requests for which implementation, are not even required presence of the DNS server at the organization which is the attack purpose.

The DNS attacks show dynamics of development of the sphere of DoS/DDoS in general. Despite often found naive perception of DoS/DDoS as attacks for which efficiency it is required rough sendings a large number of traffic the DNS attacks prove the return. The difficult DNS attacks can have asymmetric character, and can be powerful and destructive at rather low speed and intensity of the attack. The growing complexity belongs not only to the DNS attacks, but is common feature of development of the sphere of the DoS/DDoS-attacks.

In 2012 large-scale DNS attacks to the following authoritative organizations were carried out:

• In August, 2012 AT&T underwent DDoS attack which put out of action DNS servers of the company in two territorial points. During the attack which lasted at least 8 hours the website of AT&T company was unavailable to users. However the fact that the commercial websites in AT&T network were also not available had the most critical value.
• On November 10, 2012 ujlf GoDaddy company, the largest hosting provider and the registrar of domain names, suffered from the attack like DNS flood which caused damage to millions of domains on the Internet. Not only the domain www.godadddy.com, but also all domains registered through GoDaddy company which used its server name was unavailable, DNS records were also unavailable.
• On March 31 haktivist of the Anonymous group threatened to put out of action all Internet by an attack on 13 root DNS servers. The group was going to use technology of "the strengthened reflection" DNS queries, they released the Ramp utility which was developed for connection of resources of a great number of Internet service providers and other corporate DNS services for removal from a system of root servers. Finally, attack did not take place, but the sophisticated plan (see below the section "The attack by the reflected DNS queries") had destructive potential.

Statistics of the attacks in the world

2020: India became the leader in the DNS attacks

In the middle of June, 2020 the company on cyber security of EfficientIP published the report on the DNS attacks according to which India became the leader in this type of cyberthreats. In the country the most large number of such attacks, on 12.13 on the organization was recorded, and the Indian firms lost at least $784,000.

Hackers stole confidential information on clients of nearly 27% of the Indian companies whereas in the rest of the world this share made 16%. As a result of the attacks a downtime of cloud services in the country reached 65%.

EfficientIP published the report on the DNS attacks according to which India became the leader in this type of cyberthreats

During an era of key IT initiatives, such as IoT, Edge, SD-WAN and 5G, protection of DNS should play a much bigger role in security ecosystem — the vice president for the strategy of EfficientIP Ronan David considers. — The pandemic of COVID-19 aggravated these problems as it of simple any network or the application has now serious effects for business.

The DNS spoofing also known as poisoning of a cache of DNS, is one of forms of cracking of computer networks in which data of a cache of domain names change the malefactor, for the purpose of return of the false IP address. It leads to an attack of the intermediary on the malefactor's computer (or any other computer). Effects of such attacks can seriously shake a financial position of the company and even completely to sink business. The specialists who prepared the report consider that ensuring availability and integrity of service DNS should become a priority for any organization.

Around the world 79% of the organizations were exposed to the DNS attacks sooner or later, at the same time everyone cost on average $924,000. In 2020 about 9.5 attacks to the organization were noted. In the report it is also specified that the number of the enterprises affected by idle time of cloud services increased from 41% in 2019 to 50% in 2020. At the same time 25% of the companies do not carry out analytics of the DNS traffic.^[1]

Types of the attacks

The fact that they work under the UDP protocol, more vulnerable, than TCP is a basic reason of such exposure of DNS systems to threats.

There are several methods of the attack to DNS. The first type is a creation of the fraudulent DNS server owing to interception of a request. The mechanism of this attack is very simple. The hacker – attacking waits for the DNS query from the computer of the victim. After attacking received a request, he takes the IP address of the requested host from the intercepted packet. Then the packet in which the malefactor is represented the target DNS server is generated. Generation of a response packet is also simple: the hacker states the victim in the field of the IP DNS server the IP in the false answer. Now the computer of the victim accepts attacking for real DNS. When the client sends the next packet attacking changes in it the IP address of the sender and sends further on DNS. As a result this DNS server considers that requests are sent by the hacker, but not the victim. Thus, attacking becomes the intermediary between the client and the real DNS server. Further the hacker can correct requests of the victim at discretion and send them to real DNS. But it is possible to intercept a request, only if the attacking machine is on the way of the main traffic or in a DNS server segment.

The second method of the attack is applied far off if there is no access to the client's traffic. Generation of the false answer requires accomplishment of several points. First, coincidence of the IP address of the sender of the answer to the DNS server address. Then, coincidence of the names which are contained in the DNS answer and request. Besides, the DNS answer should be sent to the same port from which a request was sent. Well and, at last, in a DNS answer packet the ID field should match ID in a request.

The first two conditions are implemented simply. And here the third and fourth point - is more difficult. Both problems are solved by a podyskivaniye necessary port and a search ID method. Thus, the hacker has all necessary to attack the victim. The mechanism of this attack consists in the following. The victim sends a request to the DNS server and passes into an answer standby mode from the server. The hacker, having intercepted a request, begins to send false response packets. As a result the squall of false answers from which all are eliminated, except one in which ID and port matched comes to the computer of the client. Having received the necessary answer, the client begins to perceive the false DNS server as this. The hacker, in turn, in false DNS the answer can deliver the IP address of any resource.

The third method is directed to the attack directly of the DNS server. As a result of such attack to the false IP addresses not the certain client victim, but all users who addressed the attacked DNS will go. As well as in the previous case, the attack can be carried out from any point of network. When sending by the client a request for the DNS server, the last begins to look for a similar request in the cache. If to the victim nobody sent such request, and it was not brought in a cache, the server begins to send requests for other DNS servers of network in search of the IP address corresponding to the requested host.

For the attack the hacker sends a request which forces the server to address other nodes of network and to wait for the answer from them. Having sent a request, the malefactor begins to attack DNS a flow of false response packets. Reminds a situation from the previous method, but the hacker should not select port as all DNS servers "communicate" on the selected 53rd port. It is necessary only to pick up ID. When the server receives a false response packet with suitable ID, he will begin to perceive the hacker as DNS and will give to the client the IP address sent by the attacking computer. Further the request will be brought in a cache, and at the subsequent similar requests users will pass to false IP.

Simple DNS flood

Using simple DNS flood, the malefactor sends multiple DNS queries to the DNS server, overflowing the server with requests and consuming its resources. Such method of the attack is attractive as it is rather simple performed by and allows to hide the identity of malefactors.

The malefactor generates DNS packets which go by means of the UDP protocol to the DNS server. The standard PC can generate 1000 DNS queries per second whereas the normal DNS server can process only 10000 DNS queries per second. In other words, to put the DNS server out of action, only 10 computers will be required. As DNS servers mainly use the UDP protocol, malefactors do not need to set connections, and they can change the IP address of a source and mask. Also on a hand malefactors – the attack proceeding from a set of the changed source IP addresses it is heavier to reflect this property, than that which proceeds from the limited list of the IP addresses.

The attack by means of the reflected DNS queries

Thanks to asymmetric character, the attack using the reflected DNS queries allows to create effect of overflow, having on hand limited resources.

The malefactor sends the DNS query to one or several third-party DNS servers which are not real subjects to attack. Malefactors change the DNS query source IP address to the IP address of the target server (subject to attack), then the answer of third-party servers will be sent to the server which is the attack purpose.

In the course of the attack the effect of gain at which the answer to the DNS query at 3-10 times more, than a DNS query is used. In other words, on the attacked server much more traffic in comparison with a small amount of the requests generated by the malefactor arrives. The attack by means of the reflected requests shows that the organization does not need to own the DNS server to become subject to the DNS attack as the purpose of the attack is inactivation of the channel of Internet connection or the firewall.

The attacks executed by means of the reflected DNS queries can include several gain levels:

• Natural – the DNS packets sent in response to a request several times are larger than packets which go at a request. Thus, even the most basic attack can receive 3-4 multiple gain.
• Selective – answers to DNS queries have the different size: in response to some DNS queries the short answer goes, in response to others the answer is much more. More resourceful malefactor can define at first what domain names in the answer of the server have the bigger size. Sending requests only for such domain names, the malefactor can reach 10-fold gain.
• Configured manually – at the high level malefactors can develop certain domains for which sending names it is required packets of the huge sizes. Sending requests only for such specially created domain names, the malefactor can reach 100-fold gain.

Anonymity degree at such attack increases with increase in its scope. In addition to change of SRC IP (as at simple DNS flood), the attack in itself is made not directly – requests for the attacked server are sent per the third-party server.

The attack using recursive DNS queries

The attack by means of recursive requests is the most difficult and asymmetric method of the attack on the DNS server, for its organization the minimum computing resources are required, and the result leads to intensive resource consumption of the DNS server which is attacked.

At such attack features of work of recursive DNS queries are used. In recursive DNS queries when the DNS client makes a request with a name which is absent in a DNS server cache memory, the server sends the repeating requests to other DNS servers until the necessary answer is not sent to the client. Having used features of this process, the malefactor sends recursive requests using false names which as he knows, does not exist in a server cache memory (you watch an example of a screenshot of the screen). To permit such requests, the DNS server should process each record, temporarily saving it and to send a request to other DNS server, then to wait for the answer. In other words, the increasing number of computing resources (the processor, memory and capacity) is consumed until resources do not come to an end.

The asymmetric nature of the recursive attack and low speed complicate fight against such attacks. The recursive attack can be missed by both the systems of protection, and people who are more concentrated on identification of the attacks with large volume.

The attack like Garbage DNS

As means its name, such attack overflows the DNS server with "garbage" traffic, sending data packets of the big size (1500 bytes or more) to its UDP port 53. The concept of such attack consists in overflowing the network channel with data packets of the big size. Malefactors can generate flows of "garbage" packets and using other protocols (UDP port 80 is also often used); but when using other protocols an object can stop the attack, having blocked port at the level of ISP without any effects. The protocol to which such protection is unavailable is the DNS protocol as most the organizations will never close this port.

Protection against the attacks

DNS over HTTPS

Main article: DNS over HTTPS (DNS-over-HTTPS, DoH)

Domain Name System Security Extensions

For security of DNS deployment of Domain Name System Security Extensions (DNSSEC) is planned. However DNSSEC cannot render counteraction to DDoS attacks and in itself can be the cause of the amplification-attacks.

Attacks to DNS purchased high popularity as they provide to malefactors a set of advantages:

• An attack on crucial infrastructure is conducted – the DNS server is an important element of infrastructure. It means that if work of DNS service of the organization is broken, all its Internet traffic is disconnected. At higher level if to put out of action root DNS servers – all Internet will cease to function (that the Anonymous group in Transaction Blackout tried to perform).
• The asymmetric nature of the attack – asymmetric gain allows attacks to DNS to cause failure in service, using limited resources and small traffic.
• Preserving of anonymity – the DNS protocol which is not using information on a status allows malefactors to change their IP address of a source and it is easy to mask. Using a reflection method, the malefactor does not even send traffic directly to subject to the attack. In today's conditions, after a large number of arrests of hackers and members of the group of Anonymous, preserving of anonymity is important advantage.

See Also