Why DNS Servers Are an Unprotected Back Door into Your Network

1 - Why DNS Servers Are an Unprotected Back Door into Your Network
2 - Analyzing DNS Data
3 - U.S. Far and Away the Biggest Target
4 - Education Leads Most Vulnerable Sectors
5 - Protocol Anomalies: 48 Percent
6 - DNS Tunneling: 40 Percent
7 - Botnets: 35 Percent
8 - Amplification and Reflection Traffic: 17 Percent
9 - Distributed Denial of Service (DDoS) Traffic: 14 Percent
10 - Ransomware: 13 Percent
11 - What Can You Do Now?
1 of 11

Why DNS Servers Are an Unprotected Back Door into Your Network

Threats surfacing in DNS traffic include protocol anomalies, tunneling, and botnets, according to the latest Infoblox Security Assessment report.

2 of 11

Analyzing DNS Data

In the second quarter of 2016, Infoblox analyzed DNS traffic data from 248 businesses. Sixty-six percent of data showed evidence of suspicious activity. This problem is growing exponentially.

3 of 11

U.S. Far and Away the Biggest Target

As shown in the graphic above, the United States (far above all others) is being hit the most by DNS attacks.

4 of 11

Education Leads Most Vulnerable Sectors

Education, telecommunications, government agencies and financial services are being hit the most by DNS attacks, as shown in the above graphic.

5 of 11

Protocol Anomalies: 48 Percent

Protocol anomalies are malformed DNS packets, including unexpected header and payload values, that are sent to a targeted server. They make use of software bugs in protocol parsing and processing implementation, causing the server to stop responding by going into an infinite loop or crashing.

6 of 11

DNS Tunneling: 40 Percent

DNS tunneling enables cyber-criminals to insert malware or pass stolen information through DNS, thereby using DNS as a covert communication channel to bypass firewalls. While there are semi-legitimate uses of DNS tunneling, many instances of tunneling are malicious. Several off-the-shelf tunneling toolkits are readily available on the internet, so hackers don't always need technical sophistication to mount DNS tunneling attacks.

7 of 11

Botnets: 35 Percent

A botnet is a set of infected computers communicating with each other and working together to either spread malware or participate in denial-of-service attacks. They can use command-and-control/peer-to-peer communication to achieve their goals.

8 of 11

Amplification and Reflection Traffic: 17 Percent

Reflection attacks use one or more third-party DNS servers, usually open resolvers on the internet, to propagate a distributed denial of service (DDoS) attack on a victim's server. Attackers spoof the DNS queries they send to open resolvers by including the victim's IP address as the source IP. The resolvers send all responses to the victim's server, thereby overwhelming it and potentially creating a denial of service. In an amplification attack, the queries are specially crafted to result in a very large response. Cyber-criminals typically use a combination of amplification and reflection to maximize impact on the victim’s server.

9 of 11

Distributed Denial of Service (DDoS) Traffic: 14 Percent

DDoS attacks use hundreds or even thousands of hosts to flood a target with traffic, such as DNS requests, with a goal of knocking the targeted site offline. Some DNS-based DDoS attacks use "phantom domains" to either keep a DNS resolver engaged by making it wait for responses or by sending random packets. The DNS resolver consumes valuable resources while waiting for valid responses, resulting in poor or no response to legitimate queries.

10 of 11

Ransomware: 13 Percent

Ransomware, such as CryptoLocker, encrypts files on a computer's local hard drive or mapped network drives by getting an encryption key from an internet-based server. Users are then asked to pay a ransom to restore access to their data. One way of stopping ransomware is by blocking an infected system from accessing the malicious encryption servers by preventing DNS queries to them.

11 of 11

What Can You Do Now?

When suspicious DNS activity is detected, whether from the internet or from within a company's network, network administrators and security teams can use DNS security tools to quickly identify attacks and drop them; use DNS firewalling to prevent malware inside the network from communicating with command-and-control servers or exfiltrating data; and automatically remediate infected devices using ecosystem integrations with other security tools.

Top White Papers and Webcasts