Cybercriminals have a knack for compromising the most poorly defended IT asset and then exploiting it for all its worth. A report published this week by IDC suggests the most overlooked threat vector in all of IT may very well be the Domain Name System (DNS) platforms on which every organization relies to direct Internet traffic to the appropriate destination.
The IDC report, commissioned by EfficientIP, a provider of tools for managing and securing DNS servers, finds on average organizations in the past year dealt with more than nine separate DNS attacks. Those attacks resulted in application downtime for 63% of the organizations attacked, 45% had their websites compromised, and just over a quarter (27%) experienced business downtime as a direct consequence. More troubling still, the annual report finds that in some cases costs from these attacks now exceed more than $1 million. On the plus side, however, a new report from the Global Cybersecurity Alliance claims DNS firewalls have prevented some $10 billion in potential damage.Cost of DNS server attacks starts to exceed $1 million, but a new report claims that DNS firewalls have prevented $10 billion in damage. Click To Tweet
DNS attacks fall broadly into a range of categories, including:
- Domain Hijacking results in DNS servers and domain registrar redirecting traffic away from the original servers to new destinations. Cybercriminals are fond of setting up fake Web sites that they employ to launch malicious activities such as setting up a fake page capture credentials and even divert payments.
- DNS Hijacking (also known as DNS redirection) usually involves malware being employed to, for example, alter the TCP/IP configurations so they can point to another DNS server, which will then redirect traffic to a fake web site.
- DNS Flooding is a distributed denial of service (DDoS) attack that seeks overload a DNS server to the point where it can no longer process requests being generated by sometimes thousands of hosts that have been infected with malware that allowed a bot to commandeer them.
- Distributed Reflection Denial of Service (DRDoS) attacks make use of spoofing the source address of the DNS service, which then results in machines replying back and forth until the DNS server becomes flooded.
- DNS Cache Poisoning overwrites local DNS cache values with fake ones to enable traffic to be redirected to a malicious website.
- DNS Tunneling makes use of encoded data from other applications inside DNS responses and queries, which requires access to a compromised system, an internal DNS server, a domain name and a DNS authoritative server.
- Random Subdomain attacks involve sending a lot of DNS queries via compromised systems against a valid and existing domain name. Those queries will not target the main domain name, but rather a lot of non-existing subdomains that eventually overwhelm the DNS server.
- NXDOMAIN attacks attempt to flood DNS authoritative servers with queries targeting non-existing domains.
- Phantom domain attacks specifically aim to cripple DNS resolver resources by generating queries against domains that don’t exist.
To defend against these types of attacks, the IDC report finds organizations are investing in securing network endpoints (32%) and DNS traffic monitoring tools (29%). Other organizations are making use of services that allow them to dynamically add more DNS capacity to weather the storm. DNS servers have been getting more attention lately because of some recent high-profile attacks and the fact that sometimes these attacks are also employed as a diversion to stealthily embed malware that is activated at a future date. Regardless of motive, it’s clear that in many instances DNS servers remain the soft underbelly of far too many IT environments.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.