Types of DNS Attacks and Tactics for Security
Prerequisite – Domain Name Server, DNS Spoofing or DNS Cache poisoning
Domain Name Server is a prominent building block of the Internet. It’s developed as a system to convert alphabetical names into IP addresses, allowing users to access websites and exchange e-mails. DNS is organized into a tree-like infrastructure where the first level contains topmost domains, such as .com and .org. The second-level nodes contain general, traditional domain names. The ‘leaf’ nodes on this tree are known as hosts.
DNS works similar to a database that is accessed by millions of computer systems in trying to identify which address is most likely to solve a user’s query.
In DNS attacks, hackers will sometimes target the servers which contain the domain names. In other cases, these attackers will try to determine vulnerabilities within the system itself and exploit them for their own good.
Types of Attacks:
- Denial of service (DoS) –
An attack where the attacker renders a computer useless (inaccessible) to the user by making a resource unavailable or by flooding the system with traffic.
- Distributed denial of service (DDoS) –
The attacker controls an overwhelming amount of computers (hundreds or thousands) in order to spread malware and flood the victim’s computer with unnecessary and overloading traffic. Eventually, unable to harness the power necessary to handle the intensive processing, the systems will overload and crash.
- DNS spoofing (also known as DNS cache poisoning) –
An attacker will drive the traffic away from real DNS servers and redirect them to a “pirate” server, unbeknownst to the users. This may cause the corruption/theft of a user’s personal data.
- Fast flux –
An attacker will typically spoof his IP address while performing an attack. Fast flux is a technique to constantly change location-based data in order to hide where exactly the attack is coming from. This will mask the attacker’s real location, giving him the time needed to exploit the attack. Flux can be single or double or of any other variant. A single flux changes the address of the webserver while double flux changes both the address of the web server and the names of DNS serves.
- Reflected attacks –
Attackers will send thousands of queries while spoofing their own IP address and using the victim’s source address. When these queries are answered, they will all be redirected to the victim himself.
- Reflective amplification DoS –
When the size of the answer is considerably larger than the query itself, a flux is triggered, causing an amplification effect. This generally uses the same method as a reflected attack, but this attack will overwhelm the user’s system’s infrastructure further.
Measures against DNS attacks:
- Use digital signatures and certificates to authenticate sessions in order to protect private data.
- Update regularly and use the latest software versions, such as BIND. BIND is open-source software that resolves DNS queries for users. It is widely used by a good majority of the DNS servers on the Internet.
- Install appropriate patches and fix faulty bugs regularly.
- Replicate data in a few other servers, so that if data is corrupted/lost in one server, it can be recovered from the others. This could also prevent single-point failure.
- Block redundant queries in order to prevent spoofing.
- Limit the number of possible queries.