TOP TEN DNS ATTACKS

PROTECTING YOUR ORGANIZATION AGAINST

TODAY’S FAST-GROWING THREATS

1
 INTRODUCTION Introduction
01 DRDOS Your data and infrastructure
are at the heart of your
02 CACHE POISONING
business. Your employees,
03 FLOODS business partners, and
customers are getting more
04 DNS TUNNELING
connected, and rely on the
05 DNS HIJACKING network to support their most
important business processes.
06 BASIC NXDOMAIN
But Domain Name System
07 PHANTOM DOMAIN (DNS)-based attacks are on
08 RANDOM SUB-DOMAIN the rise, putting your data,
revenue, and reputation at risk.
09 DOMAIN LOCK-UP If a DNS service goes down,
10 CPE BOTNET BASED your organization’s Internet
connectivity fails, and devices
MITIGATING ATTACKS that are attached to the
network stop working. Even
a single serious attack could
expose data or bring your
business operations to a halt.

Continued
2
 Traditional Security is Not Enough A Constantly Evolving Threat
INTRODUCTION
Traditional firewall protection is ineffective DNS-based DDoS attacks are not only
01 DRDOS against today’s evolving DNS threats. difficult to discover. They are a moving
Firewalls leave port 53 open, reserving target, constantly evolving and capable of
02 CACHE POISONING it for DNS queries. They don’t do much impacting both external and internal DNS
in terms of inspecting the queries coming servers. Attackers employ a wide range
03 FLOODS in. So they can’t provide protection of techniques, from basic methods like
against DNS-based distributed denial-of- amplification/reflection, floods, and simple
04 DNS TUNNELING service (DDoS) attacks like amplification, NXDOMAIN, to highly sophisticated attacks
reflection, or other techniques. Stopping involving botnets, chain reactions, and
05 DNS HIJACKING DNS attacks requires deep inspection and misbehaving domains. They may come
extremely high compute performance for from the outside in, or from the inside out.
06 BASIC NXDOMAIN accurate detection, which is not provided
Hackers understand that DNS security is
by the traditional solutions.
often overlooked, so DNS-based attacks
07 PHANTOM DOMAIN are on the rise. According to the most
recent Worldwide Infrastructure Security
08 RANDOM SUB-DOMAIN Report from Arbor Networks, DNS is the
09 DOMAIN LOCK-UP
DNS is the most number one protocol used in reflection/
targeted service amplification attacks and is tied with http
for the top targeted service of application-
10 CPE BOTNET BASED of application layer DDoS attacks. The sooner you add
MITIGATING ATTACKS layer DDoS attacks. DNS-specific security as a layer in your
defense-in-depth security strategy, the less
risk to your organization. The first step is
understanding how DNS-based attacks can
impact your network and your business.
Let’s take a closer look at the top ten DNS-
based threats, and how they work.

3
 INTRODUCTION Distributed Reflection
01 DRDOS DoS Attack (DrDoS)
A distributed reflection DoS attack, or Attackers send their spoofed
02 CACHE POISONING DrDoS attack, uses third-party open queries to multiple open recursive
resolvers on the Internet to unwittingly servers—sometimes thousands of
03 FLOODS participate in attacks against a target. servers at a time. Each query is designed
These types of attacks use reflection to elicit a large response, and send an
04 DNS TUNNELING and amplification techniques to overwhelming amount of data to the
spoof their identity and increase the victim’s IP address. When a victim is hit
05 DNS HIJACKING magnitude and effectiveness of an attack. by the DDoS attack, it can cause slow
Authoritative name servers can also be performance or site outages that can
06 BASIC NXDOMAIN used for this attack. shut down important business processes.

07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED Internet

Open
MITIGATING ATTACKS Recursive
Servers
Amplified
Spoofed Reflected
Queries Packets

Attacker
Attacker Target Victim

4
 INTRODUCTION Cache Poisoning
DNS cache poisoning corrupts a DNS Spoofed responses map
01 DRDOS server’s cache with bogus data such as www.bankofamerica.com
a rogue address, opening the door to to IP address of a server
02 CACHE POISONING data theft and other threats.
controlled by attacker
4. The recursive name server accepts a
03 FLOODS 1. Attacker queries a recursive name server
spoofed response, caches the record
for a subdomain that doesn’t exist
(e.g. q0001.bankofamerica.com) 5. User queries the recursive name server for
04 DNS TUNNELING IP address of www.bankofamerica.com
2. The recursive server does not have the IP
address and queries a bankofamerica.com 6. The recursive name server replies to user
05 DNS HIJACKING name server with cached rogue IP address
3. Before bankofamerica.com name server 7. User connects to site controlled by attacker
06 BASIC NXDOMAIN can send NXDOMAIN response, attacker which may look exactly like the real bank of
sends lots of spoofed responses that looks america website
07 PHANTOM DOMAIN like they are coming from a legitimate Impact: Logins, passwords, credit card
bankofamerica.com server
numbers of the user can be captured
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED

1
MITIGATING ATTACKS 4

Recursive
Cache Name Server 3 Attacker

5 2

6 3

7
Bank of
User America Name
Servers

5
 INTRODUCTION Floods
An example of a flood is a TCP SYN These half-opened
01 DRDOS flood. A TCP SYN flood attack is a DoS connections fill up the listen
attack that takes advantage of the queue on the server. Finally,
02 CACHE POISONING three-way handshake that’s used to start the server stops responding
a Transmission Control Protocol (TCP) to new connection requests
03 FLOODS connection. An attacker sends its target coming from legitimate users.
spoofed synchronization (SYN) packets
04 DNS TUNNELING that include the source IP address of
bogus destinations. The targeted server
05 DNS HIJACKING then sends SYN-ACK packets to the
bogus destinations, but never receives
06 BASIC NXDOMAIN acknowledgement, so the connections
are never completed.
07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED

SYN-ACK
MITIGATING ATTACKS

Bogus
Destinations
N
SY

SY
N

Attacker User

6
 INTRODUCTION DNS Tunneling
DNS tunneling attacks can provide A DNS tunnel can be used as a full remote
01 DRDOS attackers with an always-available control channel for a compromised internal
back channel to exfiltrate stolen data. host. This lets them transfer files out of the
02 CACHE POISONING It’s based on using DNS as a covert network, download new code to existing
communication channel to bypass a malware, or have complete remote access
03 FLOODS firewall. Attackers tunnel protocols like to the system. DNS tunnels can also be
SSH or HTTP within DNS, then secretly used to bypass captive portals, to avoid
04 DNS TUNNELING pass stolen data or tunnel IP traffic. paying for Wi-Fi service.
05 DNS HIJACKING
06 BASIC NXDOMAIN
07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED

MITIGATING ATTACKS hacker.org
Name Server
fic
Traf
4 Internet
IPv
Enterprise

4
d IPv ies
de er Recursive
n co S Qu Name Server
E N
D
in
Client Side
Tunnel Program
(Infected Host)
7
 INTRODUCTION DNS Hijacking
DNS hijacking overrides a domain’s
01 DRDOS registration information, usually at the
domain’s registrar. The modified information
02 CACHE POISONING is set to point to rogue DNS servers.
03 FLOODS When a user tries to access a legitimate
website, such as their bank or credit card
04 DNS TUNNELING company, they are redirected to a bogus
site that looks much like the real thing—but
05 DNS HIJACKING is controlled by the attacker.DNS hijacking
can put sensitive personal data at risk,
06 BASIC NXDOMAIN including user names, passwords, and
credit card information.
07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works
com
10 CPE BOTNET BASED mybank
mybnk
(Appears similar)

MITIGATING ATTACKS
mybank Controlled mybank Controlled
by Attacker by Attacker

Registrar

Attacker Cache User

8
 INTRODUCTION Basic NXDOMAIN Attack
A basic NXDOMAIN attack is a DNS
01 DRDOS flood attack that can overwhelm server
resources and impact performance. It
02 CACHE POISONING works by sending a flood of queries to a
DNS server to resolve non-existent domain
03 FLOODS names. The recursive server tries to locate
the fake domains, but cannot find them.
04 DNS TUNNELING Meanwhile, the server’s cache fills up with
NXDOMAIN results, slowing DNS server
05 DNS HIJACKING response time for legitimate requests.
06 BASIC NXDOMAIN
07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED NOT FOUND!

MITIGATING ATTACKS
Recursive NX
Name Server DO
M
s
r ie AI
N
ue
Q
S
N
D

FULL!

Attacker Cache

9
 INTRODUCTION Phantom Domain Attack
This type of attack forces the DNS resolver
01 DRDOS to resolve multiple “phantom” domains that
have been set up by the attacker. These
02 CACHE POISONING domains are slow to respond, or may
not respond at all. The server continues
03 FLOODS to consume resources while waiting for
responses, eventually leading to degraded
04 DNS TUNNELING performance or failure.
05 DNS HIJACKING
06 BASIC NXDOMAIN
07 PHANTOM DOMAIN
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP
10 CPE BOTNET BASED
MITIGATING ATTACKS

10
 INTRODUCTION Random Subdomain
01 DRDOS Attack (Slow Drip)
Random subdomain, or “slow drip” Random subdomain attacks are difficult to
02 CACHE POISONING attacks can tax recursive server detect, because each client may send only a
resources and slow performance. They small number of queries to its DNS recursive
03 FLOODS start with infected client devices or bots server. But when many infected clients send
that create queries by adding randomly requests, the impact on the recursive server is
04 DNS TUNNELING generated subdomain strings prefixed to significant. In addition, the authoritative name
the victim’s domain. For example, a client servers of the target domain (yahoo.com)
05 DNS HIJACKING might query a non-existent subdomain experience DDoS and responses may never
like “xyz4433.yahoo.com.” come back from the target domain. As the
06 BASIC NXDOMAIN DNS recursive server waits for responses, its
outstanding query limit becomes exhausted. In
07 PHANTOM DOMAIN addition, the authoritative name servers of the
target domain (yahoo.com) experience DDoS.
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED

DDoS on
MITIGATING ATTACKS Target Victim
Victim Domain
e.g. yahoo.com
Flood of Queries
For Non-existent
Subdomains

DNS Resource
Queries with Random Strings
Recursive Exhaustion
Prefixed to Victim’s Domain
Servers on Recursive
e.g. xyz4433.yahoo.com
Servers

Bot/Bad Clients Bot/Bad Clients Bot/Bad Clients

11
 INTRODUCTION Domain Lock-Up Attack
A domain lock-up attack employs resolvers
01 DRDOS and domains that are set up by attackers
to establish TCP-based connections with
02 CACHE POISONING DNS resolvers. When a DNS resolver
requests a response, these domains send
03 FLOODS “junk” or random packets to keep them
engaged. The attacker’s domains are
04 DNS TUNNELING deliberately slow to respond to requests,
which keeps the resolvers engaged longer.
05 DNS HIJACKING
When a DNS resolver establishes
06 BASIC NXDOMAIN connections with the misbehaving
domains, its resources become
07 PHANTOM DOMAIN exhausted, and it locks up.

08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP
10 CPE BOTNET BASED
MITIGATING ATTACKS

12
 INTRODUCTION Botnet-Based Attacks
01 DRDOS from CPE Devices
Botnets remain an important part of Attackers infect these CPE
02 CACHE POISONING the threat landscape, and attackers devices with malware, causing them
continue to develop innovative ways to to form a botnet to send DDoS traffic
03 FLOODS use them. Random subdomain attacks to the targeted site. The victim’s domain
can use botnets to target all traffic to is hit with a DDoS attack that exhausts
04 DNS TUNNELING one site or domain. The attacks start DNS resolver resources. Botnet-based
with compromised customer premises attacks can also create issues with the
05 DNS HIJACKING equipment (CPE) device like switches and compromised CPE equipment. Bad actors
routers. These devices may be supplied can exfiltrate login credentials and other
06 BASIC NXDOMAIN by an ISP, or purchased by the customer. data via an SSL proxy. Or they may use
the infected CPE to launch attacks against
07 PHANTOM DOMAIN the victim’s PCs and environments, further
expanding the security threat.
08 RANDOM SUB-DOMAIN
09 DOMAIN LOCK-UP How The Attack Works

10 CPE BOTNET BASED

MITIGATING ATTACKS

DDoS Traffic

Attacker Victim Domain

xyz123.yahoo.com

Botnet

13
 INTRODUCTION Mitigating
01 DRDOS DNS-Based Attacks
02 CACHE POISONING It’s clear that DNS-based attacks are A Dedicated Appliance
increasingly attractive for hackers. All too
often, DNS security does not receive the A hardened, purpose-built
03 FLOODS attention it needs from IT organizations. DNS appliance can provide
robust protection against threats.
04 DNS TUNNELING So how can you safeguard your An effective solution will minimize
business against DNS-based attacks? attack surfaces with:
05 DNS HIJACKING The first step is communication. Get
your IT teams together and determine • No extra or unused ports open
06 BASIC NXDOMAIN who in your organization is responsible to access the servers
for DNS security. Discuss the types of • No root login access with the OS
07 PHANTOM DOMAIN methods, procedures, and tools you • Role-based access to maintain
have in place to detect and mitigate overall control
08 RANDOM SUB-DOMAIN DNS attacks. Consider whether
you would know if an attack was The appliance should be able to secure
09 DOMAIN LOCK-UP happening—and the best way to stop it. all access methods, providing:
• Two-factor authentication for
10 CPE BOTNET BASED login access
Essentials of a Secure • Web access using HTTPS
MITIGATING ATTACKS DNS Architecture for encryption
As you discuss your DNS security • SSL encryption for appliance
posture with your team, keep in mind interaction through APIs
that a proactive approach is important in
a constantly changing threat landscape.
As attacks become more nimble
and sophisticated, it’s not possible to
manually create and add detection rules
to your DNS. You need specialized,
automated protection against DNS-
specific attacks, as well as malware and
advanced persistent threats (APTs).
Continued
14
 Infoblox External DNS Security and
INTRODUCTION Infoblox Internal DNS Security
01 DRDOS Infoblox External DNS Security and To stop protocol-based attacks like
Infoblox Internal DNS Security use the DNS amplification, reflection, and cache
02 CACHE POISONING dedicated appliances to address external poisoning, Infoblox products use dedicated
attacks that target your Internet-facing network packet inspection hardware together
03 FLOODS DNS and internal attacks that focus on with automated threat intelligence rules.
DNS inside an enterprise. They provide Infoblox actively monitors the latest DNS-
04 DNS TUNNELING built-in, intelligent attack protection based vulnerabilities and ensures that the
that keeps track of source IPs of DNS solution provides protection against attacks
05 DNS HIJACKING requests, as well as the DNS records out of the box. The rule set is automatically
requested. The solution can intelligently updated to provide protection against new
06 BASIC NXDOMAIN drop excessive DNS DDoS requests from and evolving attacks without the need for
the same IP, saving resources to respond downtime or patching.
07 PHANTOM DOMAIN to legitimate requests. Infoblox Internal
DNS Security also provides protection
08 RANDOM SUB-DOMAIN against APTs/malware and data exfiltration
that can happen via DNS Infoblox Internal
09 DOMAIN LOCK-UP DNS Security easily integrates and works
with other security solutions like FireEye
10 CPE BOTNET BASED NX series, as well as with industry-
standard ecosystems for sharing threat
MITIGATING ATTACKS data and centralized threat mitigation.

Continued
15
 Infoblox DNS Firewall
INTRODUCTION
A DNS-based network security solution DNS Firewall protects against
01 DRDOS that effectively detects and disrupts APTs APTs/malware by:
and malware that might be launching • Enforcing response policies on
02 CACHE POISONING attacks on DNS is the third key component traffic from infected endpoints to
of an effective mitigation solution. The suspicious domains
03 FLOODS Infoblox DNS Firewall addresses this
• Leveraging an automated,
problem of APTs/malware that use DNS
customizable threat update service
04 DNS TUNNELING to communicate with botnets and
that provides up-to-date threat data on
command-and-control servers.
known malicious domains
05 DNS HIJACKING • Providing insightful reporting on
malicious DNS queries including threat
06 BASIC NXDOMAIN severity and impact, and pinpointing
infected devices
07 PHANTOM DOMAIN
Together, these components of a secure
08 RANDOM SUB-DOMAIN DNS architecture deliver the intelligence,
performance, and proactive protection you
09 DOMAIN LOCK-UP need to safeguard your organization against
today’s threats. To learn more about how
10 CPE BOTNET BASED Infoblox solutions can help you get out in
front of DNS-based attacks, visit
MITIGATING ATTACKS www.infoblox.com.

16
For more information visit www.infoblox.com

© 2015 Infoblox Inc. All rights reserved. All registered trademarks are property of their respective owners.
17