DNS Attacks on the Rise

The recent distributed denial-of-service (DDOS) attacks on Domain Name Server (DNS) providers EveryDNS and EasyDNS were a grim reminder of the damage a DNS infrastructure attack can do. (See DNS Service Under DDOS Attack and DNS Gets Anti-Phishing Hook.) And the problem is on the rise, experts say.

DNS is becoming a popular attack vector, especially for botnets lodging DDOS attacks. "We're using DNS for a lot of things, so it's a very attractive target for bad guys to stop people from getting to anti-spam or anti-phishing blacklists," says Jose Nazario, software and security engineer with Arbor Networks. "We haven't seen a slowdown in these attacks" on DNS.

DNS technology is such an inherent and vital piece of the Internet that it's often taken for granted. Its simple function is to translate a computer's "human-readable" domain name, such as www.darkreading.com, into its machine-readable IP address name. It's typically a forgotten link in the security chain. But if a DNS server or infrastructure is disrupted by a DDOS attack, or injected with malware, and your users and customers can't reach your Website, you can bet it will get people's attention.

Luckily, DNS attacks aren't as prevalent as other types of attacks, but if successful, they can be devastating, especially if they impact multiple sites as the attack on EveryDNS did (100,000 customers were affected). "They went after EveryDNS for retaliatory reasons -- EveryDNS shuts down botnets all the time," says Dan Kaminsky, director of penetration testing for IOActive.

Kaminsky says DNS technology is actually "fairly solid," so it's tough to detect when there's a DNS outage. "Developers and network engineers don't have a very good framework to detect when failures are being caused by a DNS outage."

"The biggest risk we see in the field is that sometimes network administrators will put other services on the same host as DNS," Kaminsky says. "At this point, the name servers are pretty solid, but if there's a vulnerable Web server on the same host, the name server's going down."

DNS configuration errors are another major source of security problems. About 85 percent of DNS issues stem from human error, such as mistyping an address, says Paul Parisi, CTO for DNSstuff.com, which offers free tools for DNS management. "If there's no configuration error, DNS is relatively difficult to exploit."

Aside from exploiting a configuration error, attackers either use DDOS or DNS "poisoning" attacks, where they inject malicious data into the DNS servers. That would send an unsuspecting user to a malicious site posing as, say, MySpace.com. "It wouldn’t be MySpace, but a site operated by bad guys who want to see your personal information and load malware onto your system," Nazario says.

A poorly configured DNS server could also be subject to DDOS attacks where an attacker "amplifies" packets, Nazario says. "One packet from the attacker becomes ten packets from the DNS server sent on to the DDOS victim," he says. "When this is scaled up, you have a very large DDOS event."

DDOS attacks are typically used as a distraction so the attacker can conduct these types of attacks or inject other malicious code into DNS servers.

Another possible risk is that if an attacker gains access to your DNS server, he then could change the address of your email or Web server to a fake one. "So I've got a server receiving your mail, for example, and then sending it off to your mail server, so you have no idea this is happening," says Parisi.

DNSstuff on Monday will roll out a new membership plan that includes enhanced DNS reporting and tools and a monitoring and alerting service.

— Kelly Jackson Higgins, Senior Editor, Dark Reading