Zero Trust Network Access (ZTNA) and strict access controls can help organizations defend against DNS attacksContributing writer, Network World | Show
The Domain Name System remains under constant attack, and there seems to be no end in sight as threats grow increasingly sophisticated. DNS, known as the internet’s phonebook, is part of the global internet infrastructure that translates between familiar names and the numbers computers need to access a website or send an email. While DNS has long been the target of assailants looking to steal all manner of corporate and private information, the threats in the past year or so indicate a worsening of the situation. IDC reports that 82% of companies worldwide have faced a DNS attack over the past year. The research firm recently published its fifth annual Global DNS Threat Report, which is based on a survey IDC conducted on behalf of DNS security vendor EfficientIP of 904 organizations across the world during the first half of 2019. According to IDC's research, the average costs associated with a DNS attack rose by 49% compared to a year earlier. In the U.S., the average cost of a DNS attack tops out at more than $1.27 million. Almost half of respondents (48%) report losing more than $500,000 to a DNS attack, and nearly 10% say they lost more than $5 million on each breach. In addition, the majority of U.S. organizations say that it took more than one day to resolve a DNS attack. “Worryingly, both in-house and cloud applications were damaged, with growth of over 100% for in-house application downtime, making it now the most prevalent damage suffered,” IDC wrote. "DNS attacks are moving away from pure brute-force to more sophisticated attacks acting from the internal network. This will force organizations to use intelligent mitigation tools to cope with insider threats." Sea Turtle DNS hijacking campaignAn ongoing DNS hijacking campaign known as Sea Turtle is one example of what's occuring in today's DNS threat landscape. This month, Cisco Talos security researchers said the people behind the Sea Turtle campaign have been busy revamping their attacks with new infrastructure and going after new victims. In April, Talos released a report detailing Sea Turtle and calling it the “first known case of a domain name registry organization that was compromised for cyber espionage operations.” Talos says the ongoing DNS threat campaign is a state-sponsored attack that abuses DNS to harvest credentials to gain access to sensitive networks and systems in a way that victims are unable to detect, which displays unique knowledge on how to manipulate DNS. By obtaining control of victims’ DNS, the attackers can change or falsify any data on the Internet and illicitly modify DNS name records to point users to actor-controlled servers; users visiting those sites would never know, Talos reports. The hackers behind Sea Turtle appear to have regrouped after the April report from Talos and are redoubling their efforts with new infrastructure – a move Talos researchers find to be unusual: “While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward,” Talos wrote in July. A Domain Name System (DNS) is essential to all companies that depend on the internet to generate sales—it is a crucial element to the performance and legitimacy of an organization's web-based applications and cloud services. A loophole in your DNS could translate to the loss of users, access to user credentials by hackers, unavailable content, and user frustration, to mention a few. A DNS hijacking or User Redirection Attack is a common type of Domain server breach that targets a vulnerability in the stability of a network’s domain server system.  It could be an attack on the DNS infrastructure itself, making it unavailable, or subverting the website’s users to go to an alternative destination. Either way, these attacks leverage the DNS as part of the attack strategy. When users visit the hijacked website, they are redirected to an illegitimate website that's disguised as the hijacked website. How is the DNS Hijacked? Cybercriminals understand that your website's domain name system is a unique, trusted protocol and that many companies don't care to monitor their domains for malevolent activities. For this reason, they may initiate a range of attacks on the organization's Domain Name System, and get away with it. DNS translates human-friendly URLs into machine-friendly Internet Protocol (IP) addresses. It, therefore, provides internet users with a way to match search queries to relevant websites. Any device that’s connected to the internet has an IP address made up of numbers. The NDS serves a fundamental role of syncing up domain names with the appropriate IP addresses enabling website owners and users to choose memorable domain names while the devices, on the other hand, can use machine-friendly IP addresses. For example, suppose you run a query by typing www.office1.com into your search engine. In that case, a request will be sent from your computer to the appropriate DNS resolver, which is a computer that searches IP addresses associated with your search query. The DNS resolver is programmed to communicate with high-level domain servers, find a match and send it back to your device. To execute an attack, the perpetrators incorrectly resolve the DNS to send your users to malicious websites. They achieve this by taking over routers, hacking the Domain Name Server communication, or installing malware on website users’ devices. Once a company’s DNS is successfully hijacked and the users redirected to a fake website, it translates the authorized IP into the illegitimate IP address of the hijacker’s malicious DNS. Why Are DNSs Hijacked? A DNS may be hacked for a range of reasons. The hijacker may use it for pharming, which is to display ads to users to generate revenue or phishing, which is directing users to a fake version of your website with the aim of stealing data or login information. Internet Service Providers (ISP) are also known to use domain redirection to control users’ DNS queries to collect user data. Other organizations use domain hijacking for censorship or redirecting users to alternative websites. Types of DNS Hijacking Attacks There are a number of ways in which a DNS hijacking attack can be executed. The four most common types of DNS hijacking attacks are: 1. Router DNS Hijack The DNS router is a hardware device that domain service providers use to match domain names to their corresponding IP addresses. Most routers come with preset passwords and a host of firmware vulnerabilities. Cybercriminals can take advantage of weak default passwords and the vulnerabilities to take over the router and reconfigure the DNS settings to their benefit. If they successfully overwrite the DNS router, they can easily divert the traffic to another website and jam your company’s website to make it inaccessible. 2. Man-In-The-Middle DNS Hijacking This is also called DNS spoofing. In this case, the attacker targets and intercepts the communication between the website’s traffic and the site's DNS alters the DNS settings hence directing the traffic to a malicious IP address. 3. Local DNS hijack A local DNS attack installs malware on the website user's computer. The malware, usually a trojan malware disguised as legitimate software, gives the cyber thieves access to users' network systems, enabling them to steal data and change DNS settings to direct the users to malicious websites. 4. Rogue DNS Server In this type of DNS hijacking, the cybercriminal intercepts the DNS server and alters the DNS settings to divert traffic to fake websites. Preventing DNS Hijacking There are numerous precautionary steps you can take to improve your DNS security to prevent DNS hijacking. We have three categories of the basic mitigation measures: As outlined earlier in this post, cyber thieves target DNS routers and reconfigure them to redirect traffic to malicious locations on the internet. The DNS name server is a crucial resource that should have strong security measures to prevent attackers from hacking and launching attacks on website users. Below are elaborate measures that the IT team can take to improve your site's name server's security. Install Firewalls Around Your DNS Resolver—Every DNS has resolvers, legitimates resolvers. Attackers may install fake resolvers in the DNS to compromise it and to intercept the legitimate resolvers. To prevent this from happening, have the IT team place the legitimate resolvers behind a firewall, and shut down all non-required DNS resolvers. Increase Restrictions on Access to Name Servers—An attacker could be an enemy within your organization. As such, the IT team should ensure a physical security system, multi-factor authentication access, and a reliable firewall to limit access to the organization's DNS. Prevent Cache Poisoning—common measures to prevent website cache poisoning include; randomizing user identity, randomizing server source ports, and using both upper and lower cases in your organization’s domain name. Fix the Known vulnerabilities, immediately—cybercriminals capitalize on obvious vulnerabilities to initiate attacks on DNS. Have your IT team examine the DNS for any vulnerabilities and immediately patch them up to prevent attacks. Avoid Zone Transfers—DNS zone records are delicate files that contain data that is often targeted by attackers. The hackers may pose as slave name servers requesting for a zone transfer, which involves copying server zone records. To prevent this vulnerability, avoid zone transfers. 2. Mitigation Measures for End-UsersBesides advertising products to hijacked traffic, DNS hijackers also target user data and credentials. Website users can prevent hijacking by frequently changing their passwords, installing and updating their computer anti-viruses, and using reliable virtual private networks. 3. Mitigation Measures for Website Owners If your organization uses a Domain Name Registrar, your IT team can take the following steps to prevent DNS hijacking: Ensure Secure Access—DNS access should be limited to only a few members of the IT team, who should have a multi-factor authentication whenever accessing the domain name server registrar. This measure will significantly avoid DNS hacking. If convenient for the IT team, only a few whitelisted Internet Protocol addresses should access the domain name registrar.
Client Lock—To enhance DNS security, some DNS registrars use client locks. The lock disables the option to change DNS records unless the request is made from a particular IP address. Use A Domain Name Service provider with DNSSEC—A DNSSEC uses digital signatures and public keys to verify the validity of DNS requests. If your DNS registrar offers DNSSEC, enable it to add a layer of protection that makes it challenging for attackers to intercept and redirect traffic from your website to a fake site. Don’t Let Your DNS Be Compromised DNS hijacking is a reality that happens to vulnerable websites around the world. Despite considerable efforts to avert DNS spoofing and redirecting of traffic, attackers are always finding new cunning ways to access organizations' networks and users' devices, compromising data, and stealing credentials. To keep your organization’s website safe from DNS hijacking, the IT team must always be on the lookout for vulnerabilities that attackers may take advantage of and patch them up. Conducting a cybersecurity assessment and following the measures we have outlined in this post, you will detect malicious activity on your website, and implement the appropriate steps to stop or prevent a DNS hijacking.
Categories: Network Security, Security Breach, DNS Hijacking AboutSnow hater, technology lover, information sharer, camper, biker, and hiker. Steve Ellis has been with Office1 since 1995. He’s filled many positions from a brand new copier tech to his current position serving as the VP of Professional Services. He has a passion for learning and sharing the knowledge that might make someone’s life easier. He holds several certifications including MCSA and MCITP. He is currently working on his CompTIA CySA+. Steve has been in the copier industry for more than 25 years and has been interested in tech since 2000. What steps can be taken to help secure DNS?Here are some of the most effective ways to lock down DNS servers.. Use DNS forwarders.. Use caching-only DNS servers.. Use DNS advertisers.. Use DNS resolvers.. Protect DNS from cache pollution.. Enable DDNS for secure connections only.. Disable zone transfers.. Use firewalls to control DNS access.. Why is it important to mitigate DNS attacks?Phantom Domain Attacks
The long response pauses result in a backlog of unresolved requests that congest the network and take up valuable server resources. Ultimately, the scheme prevents legitimate DNS requests from being processed and prevents users from accessing the targeted domains.
How are DNS amplification attacks mitigated?Method of mitigation
Common ways to prevent or mitigate the impact of DNS amplification attacks include tightening DNS server security, blocking specific DNS servers or all open recursive relay servers, and rate limiting.
What is one way that an attacker could use a DNS server maliciously?The attacker corrupts a DNS server by replacing a legitimate IP address in the server's cache with that of a rogue address to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning are also referred to as DNS poisoning.
|
What are the best mitigation strategies to minimize what an attacker can obtain from using DNS?
Urheberrechte © © 2024 defrojeostern Inc.
