Why DNS Servers Are an Unprotected Back Door into Your Network

 
 
By Chris Preimesberger  |  Posted 2016-11-11
 
 
 
 
 
 
 
 
 
  • Previous
    1 - Why DNS Servers Are an Unprotected Back Door into Your Network
    Next

    Why DNS Servers Are an Unprotected Back Door into Your Network

    Threats surfacing in DNS traffic include protocol anomalies, tunneling, and botnets, according to the latest Infoblox Security Assessment report.
  • Previous
    2 - Analyzing DNS Data
    Next

    Analyzing DNS Data

    In the second quarter of 2016, Infoblox analyzed DNS traffic data from 248 businesses. Sixty-six percent of data showed evidence of suspicious activity. This problem is growing exponentially.
  • Previous
    3 - U.S. Far and Away the Biggest Target
    Next

    U.S. Far and Away the Biggest Target

    As shown in the graphic above, the United States (far above all others) is being hit the most by DNS attacks.
  • Previous
    4 - Education Leads Most Vulnerable Sectors
    Next

    Education Leads Most Vulnerable Sectors

    Education, telecommunications, government agencies and financial services are being hit the most by DNS attacks, as shown in the above graphic.
  • Previous
    5 - Protocol Anomalies: 48 Percent
    Next

    Protocol Anomalies: 48 Percent

    Protocol anomalies are malformed DNS packets, including unexpected header and payload values, that are sent to a targeted server. They make use of software bugs in protocol parsing and processing implementation, causing the server to stop responding by going into an infinite loop or crashing.
  • Previous
    6 - DNS Tunneling: 40 Percent
    Next

    DNS Tunneling: 40 Percent

    DNS tunneling enables cyber-criminals to insert malware or pass stolen information through DNS, thereby using DNS as a covert communication channel to bypass firewalls. While there are semi-legitimate uses of DNS tunneling, many instances of tunneling are malicious. Several off-the-shelf tunneling toolkits are readily available on the internet, so hackers don't always need technical sophistication to mount DNS tunneling attacks.
  • Previous
    7 - Botnets: 35 Percent
    Next

    Botnets: 35 Percent

    A botnet is a set of infected computers communicating with each other and working together to either spread malware or participate in denial-of-service attacks. They can use command-and-control/peer-to-peer communication to achieve their goals.
  • Previous
    8 - Amplification and Reflection Traffic: 17 Percent
    Next

    Amplification and Reflection Traffic: 17 Percent

    Reflection attacks use one or more third-party DNS servers, usually open resolvers on the internet, to propagate a distributed denial of service (DDoS) attack on a victim's server. Attackers spoof the DNS queries they send to open resolvers by including the victim's IP address as the source IP. The resolvers send all responses to the victim's server, thereby overwhelming it and potentially creating a denial of service. In an amplification attack, the queries are specially crafted to result in a very large response. Cyber-criminals typically use a combination of amplification and reflection to maximize impact on the victim’s server.
  • Previous
    9 - Distributed Denial of Service (DDoS) Traffic: 14 Percent
    Next

    Distributed Denial of Service (DDoS) Traffic: 14 Percent

    DDoS attacks use hundreds or even thousands of hosts to flood a target with traffic, such as DNS requests, with a goal of knocking the targeted site offline. Some DNS-based DDoS attacks use "phantom domains" to either keep a DNS resolver engaged by making it wait for responses or by sending random packets. The DNS resolver consumes valuable resources while waiting for valid responses, resulting in poor or no response to legitimate queries.         
  • Previous
    10 - Ransomware: 13 Percent
    Next

    Ransomware: 13 Percent

    Ransomware, such as CryptoLocker, encrypts files on a computer's local hard drive or mapped network drives by getting an encryption key from an internet-based server. Users are then asked to pay a ransom to restore access to their data. One way of stopping ransomware is by blocking an infected system from accessing the malicious encryption servers by preventing DNS queries to them.
  • Previous
    11 - What Can You Do Now?
    Next

    What Can You Do Now?

    When suspicious DNS activity is detected, whether from the internet or from within a company's network, network administrators and security teams can use DNS security tools to quickly identify attacks and drop them; use DNS firewalling to prevent malware inside the network from communicating with command-and-control servers or exfiltrating data; and automatically remediate infected devices using ecosystem integrations with other security tools.
 

One of the largest distributed denial of service (DDoS) attacks in internet history recently occurred, achieving data volumes of 620 Gbps and causing the temporary blackout of security news site KrebsOnSecurity. DDoS attacks most commonly are caused by hackers leveraging unprotected domain name servers (DNS) on the internet to overload a network router or server with so much traffic that it stops responding to legitimate requests, such as providing access to a website. Without proper control of a DNS server, there are a host of malicious activities enterprises suddenly can find themselves facing. In the latest Infoblox Security Assessment Report, 35 percent of all network queries were sent from a botnet, a set of infected devices that work together to participate in denial-of-service attacks or spread malware. This eWEEK slide show includes key findings from the Infoblox report and provides a list of threats researchers have seen surface lately in DNS traffic. These are listed in order of prevalence.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel