DNS attacks have the potential to disrupt the entire network of a company, crippling its operations for several days and causing substantial losses: downtime for websites and company cloud services, malware infections, and more. By understanding the mechanisms behind these attacks and taking appropriate preventive measures, one can effectively safeguard their infrastructure.
In October 2016, sites such as Spotify, Netflix, Twitter, and Amazon were inaccessible for 10 hours within the USA. Other major companies impacted included The New York Times and Microsoft. Interestingly, the IT systems of these companies were not at fault. The attacker merely took advantage of a security flaw in the DNS server.
These DNS attacks pose a significant Achilles’ heel for web infrastructure. In 2020, it is estimated that they affected 83% of companies in France. So, what’s really happening?
What is DNS?
The DNS or Domain Name System facilitates the correlation between a website address such as madonna.com and the associated IP address, which is a numeric sequence separated by periods.
This conversion takes place on a DNS server. In France, the principal reference DNS servers are managed by Free, Orange, SFR, and Bouygues Telecom. There are also free alternatives available like Google Public DNS, CloudFlare, and OpenDNS.
How does it work in practice? When a user types “madonna.com” in their browser, this expression is sent to a DNS server which translates it into an IP address: 3.33.139.232.
The steps are as follows:
- The DNS resolver searches for the IP address in its database or local cache. Caching is a technique commonly used on the web to reduce loading times: the cache stores a copy of the most frequently accessed pages and directly provides them to the user.
- If the DNS resolver can’t find the IP address, it queries other DNS servers, particularly a reference DNS server.
- Once the IP address is found, the resolver communicates it to the web browser. It also stores it in its local cache to quickly provide it to another user making the same request.
The October 2016 outage affected sites like Amazon, Twitter, Netflix, and Spotify; it was caused by an attack on the DNS servers of a major American player, Dyn. This was a DDoS attack – explained below.
Why is DNS vulnerable?
The DNS system was primarily designed to ensure ease of use and respond to requests quickly and accurately. Security was not considered in its initial design. The DNS protocol is based on plain text exchanges, which can make the interception and falsification of requests easier. As a consequence, DNS has become a prime target for cyberattacks.
How do DNS attacks work?
DNS attacks exploit weaknesses within the domain name system (DNS). In most cases, the malicious entity intercepts a DNS request and sends a counterfeit response before the genuine DNS server has the chance to reply.
Types of DNS attacks
DNS Cache Poisoning Attack
This technique is designed to redirect users to a fake web platform. The exploited vulnerability in this case is the DNS cache. Incorrect IP addresses are inserted into it, potentially affecting tens of thousands of users.
When a visitor types an address, such as that of an online e-commerce site, they are redirected to a fraudulent site, risking the theft of their username and password.
DDoS Amplification Attack
This type of attack primarily targets high-traffic websites like those belonging to Sony or Microsoft. A distributed denial of service, or DDoS attack, aims to render an online service unavailable by overwhelming it with traffic from various sources. One of the most notable DDoS attacks occurred when Cloudflare endured 26 million requests per second in 2022.
In a DDoS amplification attack, an attacker uses open servers to escalate the volume of traffic targeted at a victim, thus overwhelming it. The attacker, using a botnet, instructs a network of infected computers to send thousands of requests, potentially leading to a system crash.
DNS Hijacking
This involves manipulating DNS records to reroute DNS requests to other destinations. The techniques used may involve compromising DNS servers or employing a man-in-the-middle attack, where a hacker intercepts and modifies DNS requests.
TCP SYN Flood
This is another form of denial of service attack: it involves sending a rapid series of SYN requests (a TCP protocol message used to establish a connection between two computers) to flood the server, rendering it incapable of responding to legitimate traffic.
Domain Generation Algorithm Attack (DGA)
Here, an attacker generates numerous random domain names to avoid detection and assist in the proliferation of malware.
Cloaking Attack
The attacker manipulates DNS to create a distraction and thereby confuse security systems. The objective is to execute a far more damaging attack immediately following this distraction.
How to Prevent DNS Attacks?
Implement DNSSEC
DNSSEC (Domain Name System Security Extensions) is an extension that adds a level of authentication and integrity to DNS responses. It uses digital signatures to verify DNS data.
Logging
By logging requests sent to DNS servers, it becomes possible to identify anomalies and conduct a thorough analysis.
Access Restriction
Limiting the use of DNS resolvers to users identified as authorized can prevent cache poisoning.
Backup of DNS Data
Maintaining copies on other servers ensures an easy replacement for the data from a compromised DNS server.
Deploy a Dedicated DNS Protection
Subscribing to a DNS security service from a third-party provider is often a sound choice.
