Attacks on DNS servers

Why DNS attacks are dangerous

Attacks on DNS can be roughly divided into two categories.

The first category is attacks on vulnerabilities in DNS servers. The following dangers are associated with this subspecies of attacks:

• Firstly, as a result of DNS attacks, the user risks not getting to the desired page. When entering the site address, the attacked DNS will redirect the request to fake pages.
• Secondly, as a result of a user switching to a false IP address, a hacker can gain access to his personal information. At the same time, the user will not even suspect that his information is declassified.

The second category is DDoS attacks that cause the DNS server to fail. If the DNS server is unavailable, the user will not be able to get to the page he needs, since his browser will not be able to find the IP address corresponding to the entered site address. DDoS attacks on DNS servers can be carried out both due to the low performance of the DNS server, and due to insufficient communication channel width. Potentially DDoS attacks of the second type can have a power of up to 70 Gbps when using techniques like DNS Amplification, etc.

Incidents

From the Radware Report (2013) Global Network and Application Security Report

In October 2002, unknown persons tried to "push" 10 out of 13 top-level DNS servers.

In December 2009, due to the substitution of the DNS record for an hour, the Twitter service was unavailable to users. The action was political in nature, and instead of the social network interface, the main page of the resource displayed warnings from Iranian hackers about American aggression.

In 2009, attackers tried to disrupt at least two root DNS servers.

2012 was the year of DNS attacks. Although DNS attacks have long been known, in 2012 they arose much more often than usual, and, more importantly, they have become more sophisticated and have more serious consequences.

Why has DNS attacks increased in popularity? The answer can be found by examining the recent history of DoS/DDoS attacks. Although DoS/DDoS attacks appeared simultaneously with the advent of the Internet, they have taken a leading position among attacks since the second half of 2010, in particular since the Anonymous group chose them as the main attack method. At first, organizations were absolutely unprepared for defense, and any attacks by attackers reached the goal.

The situation changed by the end of 2011, when organizations began to implement reflection systems to counter DoS/DDoS attacks, which prompted attackers to look for ways to bypass defense systems using more sophisticated attack vectors. With this state of affairs, the DNS server has become a suitable target. Having studied the information about attacks for 2012, we can note an increase in the number of DNS attacks by 170% compared to 2011. Almost half consists of sophisticated attacks using request rejection or recursive requests, which do not even require a DNS server from the organization that is the target of the attack.

DNS attacks show the dynamics of the development of the DoS/DDoS sphere as a whole. Despite the often naive perception of DoS/DDoS as attacks that require rough sending of a large amount of traffic to be effective, DNS attacks prove the opposite. Complex DNS attacks can be asymmetric in nature, and can be powerful and destructive at a relatively low attack speed and intensity. The growing complexity applies not only to DNS attacks, but is a common feature of the development of the DoS/DDoS attack sphere.

In 2012, large-scale DNS attacks were carried out on the following reputable organizations:

• In August 2012, AT&T was subjected to a DDoS attack that disabled the company's DNS servers at two territorial locations. In an attack that lasted at least 8 hours, AT&T's website was unavailable to users. Most critically, however, was the fact that commercial sites on the AT&T network were also not available.
• On November 10, 2012, ujlf GoDaddy, the largest hosting provider and domain name registrar, suffered from a DNS flood attack that damaged millions of domains on the Internet. Not only was the www.godadddy.com domain unavailable, but all domains registered through GoDaddy that used its server name were also unavailable.
• On March 31, hacktivists of the Anonymous group threatened to disable the entire Internet by attacking 13 root DNS servers. The group planned to use the technique of "enhanced reflection" of DNS requests, they released the Ramp utility, which was developed to connect the resources of many Internet providers and other corporate DNS services to disable root servers. Ultimately, the attack never took place, but the sophisticated plan (see below "Attack by reflected DNS queries") had devastating potential.

Attack statistics in the world

2024

Cybercriminals hijacked 35,000 domains without access to a scientific record using a completely new method

On July 31, 2024, information security specialists from Infoblox and Eclypsium reported that cybercriminals seized over 35 thousand domains without access to the scientific records of their owners. A large-scale attack called Ducks Now Sitting (DNS), or Sitting Ducks, is said to endanger more than 1 million domains every day. Read more here

Hackers have learned to hack Internet providers and infect victims' PCs through them

On April 2, 2024, Volexity, a cybersecurity company, announced the identification of an unusual hacker attack. Attackers have learned to hack Internet providers and through them inject malicious software into users' computers.

An investigation revealed that the Chinese group StormBamboo, also known as Evasive Panda, was behind the cyber campaign. The vector of malware infection ON was initially difficult to establish, but then experts found out that the attack was carried out at the level of an Internet service provider (ISP). Hackers used the DNS poisoning scheme: this tactic is to manipulate IP addresses in records that are stored in the memory of DNS servers. The goal is to force the DNS server to send an IP address specified by the attackers in response to a user request.

𝓲

Unsplash

By intercepting control on the provider's network, StormBamboo hackers replaced the resources through which updates are distributed for various applications, for example, for the free 5KPlayer media player. As a result, when trying to download the update, malicious modules were delivered to users' computers.

The StormBamboo attack targets a number of software vendors that use unsafe update mechanisms. Cybercriminals inject various viruses into victims' systems, in particular Macma and Pocostick (MGBot). With these tools, hackers can take screenshots, intercept keystrokes, and steal this or that information. Moreover, computers running different operating systems - Windows and macOS - can be attacked. In general, as noted, the cyber campaign scheme speaks of the high qualifications of attackers.^[1]

2020: India leads DNS attacks

In mid-June 2020, cybersecurity company EffectiveIP published a report on DNS attacks, according to which India became the leader in this type of cyber threat. The country recorded the largest number of such attacks, 12.13 per organization, and Indian firms lost at least $784,000.

Hackers stole confidential information about customers of almost 27% of Indian companies, while in the rest of the world this share was 16%. As a result of the attacks, the downtime of cloud services in the country reached 65%.

EfficientIP Releases DNS Attack Report That India Leads on This Type of Cyber Threat

In an era of key IT initiatives such as IoT, Edge, SD-WAN and 5G, DNS protection should play a much larger role in the security ecosystem, says Ronan David, vice president of strategy at EfficientIP. - The COVID-19 pandemic has exacerbated these problems, since now the downtime of any network or application has serious consequences for business.

DNS spoofing, also known as DNS cache poisoning, is a form of computer network hacking in which domain name cache data is modified by an attacker to return a false IP address. This leads to a proxy attack on the attacker's computer (or any other computer). The consequences of such attacks can seriously shake the financial situation of the company and even completely sink the business. The experts who prepared the report believe that ensuring the availability and integrity of the DNS service should be a priority for any organization.

Worldwide, 79% of organizations were sooner or later subjected to DNS attacks, each costing an average of $924,000. In 2020, there were 9.5 attacks on the organization. The report also found that the number of businesses affected by cloud service downtime increased from 41% in 2019 to 50% in 2020. At the same time, 25% of companies do not analyze their DNS traffic.^[2]

Types of attacks

The main reason for this exposure of DNS systems to threats is that they operate over a UDP protocol that is more vulnerable than TCP.

There are several ways to attack DNS. The first type is the creation of a fraudulent DNS server due to interception of the request. The mechanism of this attack is very simple. The hacker is an attacker, waiting for a DNS request from the victim's computer. After the attacker receives the request, he extracts the IP address of the requested host from the intercepted packet. Then a packet is generated in which the attacker is represented by the target DNS server. The generation of the response packet itself is also simple: a hacker in a false response to the victim in the IP field of the DNS server prescribes his IP. Now the victim's computer takes the attacker for real DNS. When the client sends the next packet, the attacker changes the sender's IP address in it and forwards it further to DNS. As a result, the real DNS server believes that the requests are sent by a hacker, not a victim. Thus, the attacker becomes an intermediary between the client and the real DNS server. Next, the hacker can correct the victim's requests at his discretion and send them to the real DNS. But you can intercept the request only if the attacking machine is on the path of the main traffic or in the segment of the DNS server.

The second method of attack is used remotely if there is no access to client traffic. To generate a false answer, several points must be completed. First, the IP address of the sender of the response matches the address of the DNS server. Then, the names contained in the DNS response and the request match. In addition, the DNS response must be sent to the same port from which the request was sent. And finally, in the DNS response packet, the ID field must match the ID in the request.

The first two conditions are realized simply. But the third and fourth points are more difficult. Both tasks are solved by looking for the desired port and ID by brute force. Thus, the hacker has everything necessary to attack the victim. The mechanism of this attack is as follows. The victim sends a request to the DNS server and goes into standby mode from the server. The hacker, intercepting the request, begins to send false response packets. As a result, a flurry of false answers arrives on the client's computer, from which all but one of the IDs and ports matched. Having received the desired answer, the client begins to perceive the fake DNS server as real. A hacker, in turn, can put the IP address of any resource in a false DNS response.

The third method is aimed at attacking the DNS server itself. As a result of such an attack, not a separate victim client will walk through false IP addresses, but all users who have accessed the attacked DNS. As in the previous case, an attack can be carried out from anywhere on the network. When the client sends a request to the DNS server, the latter begins to search its cache for such a request. If no one sent such a request before the victim, and it was not cached, the server begins to send requests to other DNS servers on the network in search of an IP address corresponding to the requested host.

To attack, the hacker sends a request that forces the server to access other nodes of the network and wait for a response from them. After sending the request, the attacker begins to attack DNS with a stream of false response packets. It resembles the situation from the previous method, but the hacker does not need to select a port, since all DNS servers "communicate" on the allocated 53 port. It remains only to pick up an ID. When the server receives a false response packet with a suitable ID, it will begin to perceive the hacker as DNS and give the client an IP address sent by the attacking computer. Next, the request will be cached, and for subsequent such requests, users will switch to fake IP.

Simple DNS flood

Using a simple DNS flood, an attacker sends multiple DNS requests to the DNS server, overflowing the server with requests and consuming its resources. This attack method is attractive because it is relatively easy to execute and allows you to hide the identity of attackers.

The attacker generates DNS packets that are sent via the UDP protocol to the DNS server. A standard PC can generate 1000 DNS requests per second, while a regular DNS server can only process 10,000 DNS requests per second. In other words, only 10 computers are needed to disable the DNS server. Since DNS servers primarily use the UDP protocol, attackers do not need to establish connections, and they can change the source IP address and disguise themselves. This property is also at the hands of attackers - an attack emanating from many changed source IP addresses is harder to repel than one that comes from a limited list of IP addresses.

Attack through reflected DNS queries

Due to its asymmetric nature, an attack using reflected DNS queries allows you to create an overflow effect with limited resources at your disposal.

An attacker sends a DNS request to one or more third-party DNS servers that are not real targets of the attack. Attackers change the IP address of the source of the DNS request to the IP address of the target server (the target of the attack), then the response of third-party servers will be sent to the server that is the target of the attack.

The attack uses a gain effect in which the response to a DNS request is 3-10 times greater than the DNS request itself. In other words, the attacked server receives much more traffic compared to the small number of requests generated by the attacker. A deflected request attack demonstrates that an organization does not need to own a DNS server in order to become the target of a DNS attack, since the purpose of the attack is to disable the Internet connection channel or firewall.

Attacks carried out through reflected DNS queries can include several levels of amplification:

• Natural - DNS packets sent in response to a request are several times larger than packets that are sent during a request. Thus, even the most basic attack can receive 3-4 times the gain.
• Selective - responses to DNS queries are of different sizes: in response to some DNS queries, a short response is sent, in response to other responses, much more. A more resourceful attacker can first determine which domain names in the server response are larger. By sending requests only for such domain names, an attacker can achieve 10x amplification.
• Manually configured - At a high level, attackers can develop specific domains that require huge packets to send names. By sending requests only to such specially created domain names, an attacker can reach 100 times the gain.

The degree of anonymity with such an attack increases with its scope. In addition to changing the SRC IP (as with simple DNS flooding), the attack itself is not carried out directly - requests to the attacked server are sent by a third-party server.

Recursive DNS Query Attack

A recursive query attack is the most complex and asymmetric method of attacking a DNS server, its organization requires minimal computing resources, and the result leads to an intensive consumption of the resources of the DNS server that is being attacked.

This attack uses features of recursive DNS queries. In recursive DNS queries, when a DNS client makes a request with a name that is not in the DNS server cache, the server sends duplicate requests to other DNS servers until the desired response is sent to the client. Taking advantage of the features of this process, an attacker sends recursive requests using fake names that he knows do not exist in the server cache (see an example of a screen screenshot). To resolve such queries, the DNS server must process each record, temporarily saving it, and send the request to another DNS server, then wait for a response. In other words, more and more computing resources (processor, memory, and bandwidth) are consumed until the resources run out.

The asymmetric nature of the recursive attack and the low speed make it difficult to combat such attacks. A recursive attack can be missed by both defense systems and people who are more focused on identifying high volume attacks.

Garbage DNS attack

As its name implies, such an attack overflows the DNS server with "junk" traffic, sending large data packets (1500 bytes or more) to its UDP port 53. The concept of such an attack is to overflow the network channel with large data packets. Attackers can generate streams of "garbage" packets using other protocols (UDP port 80 is also often used); but with other protocols, the object can stop the attack by blocking the port at the ISP level without any consequences. The protocol for which such protection is not available is DNS, since most organizations will never close this port.

Protection against attacks

DNS over HTTPS

Main article: DNS over HTTPS (DNS-over-HTTPS, DoH)

Domain Name System Security Extensions

Domain Name System Security Extensions (DNSSEC) are planned for DNS security. However, DNSSEC cannot resist DDoS attacks and can itself be the cause of amplification attacks.

Attacks on DNS have gained popularity because they provide attackers with many advantages:

• Critical infrastructure is under attack - the DNS server is an important part of the infrastructure. This means that if the DNS service of the organization is disrupted, all its Internet traffic is disabled. At a higher level, if the root DNS servers are disabled, the entire Internet will cease to function (which the Anonymous group tried to implement in Operation Blackout).
• Asymmetric attack - Asymmetric amplification allows DNS attacks to cause denial of service using limited resources and little traffic.
• Anonymity - DNS protocol that does not use status information allows attackers to change their source IP address and easily disguise themselves. Using the reflection method, the attacker does not even send traffic directly to the target of the attack. In today's environment, after a large number of arrests of hackers and members of the Anonymous group, maintaining anonymity is an important advantage.