Different types of DNS attacks
Ever since its creation, DNS has been known as one of the most critical internet services in existence. It’s the key component that allows your computer to show you content, right before your eyes. Email services, chat services and even social networks rely on DNS to work 24 hours a day, 7 days a week resolving IP addresses into hostnames.
Yes, DNS is that important. And at the same time, it’s one of the most overlooked parts when any organization performs a security hardening of their infrastructure. This is when DNS-based attacks happen — because many organizations don’t realize DNS is a critical attack vector. It’s often found without proper protections, outdated or completely vulnerable.
Today we’re going to talk about the most popular types of DNS attacks that can affect your company.
This type of attack can involve changes in your DNS servers and domain registrar that can direct your traffic away from the original servers to new destinations.
Domain hijacking is often caused by a lot of factors related to exploiting a vulnerability in the domain name registrar’s system, but can also be achieved at the DNS level when attackers take control of your DNS records.
Once the bad guys have hijacked your domain name, it will probably be used to launch malicious activities such as setting up a fake page of payment systems like PayPal, Visa or bank institutions. Attackers will create an identical copy of the real website that records critical personal information such as email addresses, usernames, and passwords.
DNS Flood Attack
This is one of the most basic types of DNS attack. In this Distributed Denial of Service (DDoS), the attacker will hit your DNS servers.
The main goal of this kind of DNS flood is to simply overload your server so it cannot continue serving DNS requests, because the resolution of resource records is affected by all the hosted DNS zones.
This kind of attack is mitigated easily as the source often comes from one single IP. However, it can get difficult when it becomes a DDoS (Distributed Denial of Service) where hundred or thousand hosts are involved.
While a lot of requests will be instantly detected as malicious, a lot of legal requests will be made in order to confuse defense mechanisms. This makes the mitigation system job a little bit harder sometimes.
Distributed Reflection Denial of Service (DRDoS)
When it comes to DDoS, the rules change. As we told you before, in order to diffuse the source of the attack it will be distributed across a large number of hosts. The ultimate goal of any DDoS is to overload your network with a large number of packets or a large number of bandwidth-consuming requests, to either overload your network capacity or to exhaust your hardware resources.
What’s the difference between DDoS and DRDoS?
While a simple DDoS is the act of making any target unavailable by denying their online services with flood requests, the DRDoS is a little bit different, and often more effective.
A DRDoS attack will try to send requests from its own servers, and the trick lies in spoofing the source address that will be set to that of the targeted victim, which will cause all machines to reply back and flood the target.
This kind of attack often involves and is generated by botnets that run compromised systems or services that will be ultimately used to create the amplification effect and attack the target, as seen when KrebsOnSecurity was hit by DRDoS in 2016.
DNS cache poisoning, also known as DNS spoofing, is one of the most common DNS attacks that happen every day.
The trick in this kind of attack is pretty easy to understand. By exploiting system vulnerabilities, attackers will try to inject malicious data into your DNS resolvers’ cache. This is an attack technique often used to redirect victims to another remote server.
Once the cache poisoning attack is live and working, attackers will receive all the legitimate traffic in their own servers, that are often used to show phishing-based pages to steal personal information from visitors.
How does it work?
Most of the time it’s caused by vulnerable systems; opening spam emails containing malicious links can expose you to a system compromise, and ultimately get your DNS resolver cache modified to finally lead you to malicious websites — in order to steal your personal information or infect you with spyware, adware, viruses, etc.
This is a type of cyber attack used to include encoded data from other applications inside DNS responses and queries.
While this technique wasn’t originally created to attack hosts, but to bypass network controls, nowadays it is mostly used to perform remote attacks.
In order to perform DNS tunneling, attackers need to gain access to a compromised system, as well as access to an internal DNS server, a domain name and DNS authoritative server.
How does it work?
The DNS client sends a request for a given domain name including the data encoded in the hostname.
The DNS server answers back and a two-way connection is established between both parts.
Now the attacker can transfer malicious data along with any DNS answer to gain remote access.
While DNS spoofing is often confused with DNS hijacking as both happen at the local system level, they are two different types of DNS attacks.
Most of the time, DNS spoofing or cache poisoning just involves overwriting your local DNS cache values with fake ones so you can be redirected to a malicious website.
On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infections in order to hijack this important system service. In this case, the malware hosted on the local computer can alter the TCP/IP configurations so they can point to a malicious DNS server, one that will eventually redirect the traffic to a phishing website.
This is one of the easiest ways to perform a DNS attack, as it doesn’t involve complicated techniques. Furthermore, there are a lot of automated scripts used by script kiddies to perform this type of attack.
Random Subdomain Aattack
This is not the most frequent type of DNS attack, but it can happen from time to time on certain networks. Random subdomain attacks can often be labeled as DoS attacks, as their nature adheres to the same goal as common DoS.
In this case, attackers send a lot of DNS queries against a valid and existing domain name. However, the queries will not target the main domain name, but a lot of non-existing subdomains. The goal of this attack is to create a DoS that will saturate the authoritative DNS server that hosts the main domain name, and finally, cause the interruption of all DNS record lookups.
It’s an attack that’s hard to detect, as the queries will come from botnets from infected users who don’t even know they’re sending these types of queries, from what are ultimately legitimate computers.
NXDOMAIN attacks are involved in DDoS attacks, as they often involve a huge number of remote DNS clients that will flood your DNS authoritative servers with queries targeting non-existing domains. As a consequence, this will cause a DNS recursion and NXDOMAIN answering back.
The main goal of this attack is to make your DNS server spend time, software and hardware resources in illegitimate requests that will prevent and cause service failure for legitimates ones, as the DNS server cache will be totally filled with NXDOMAIN failure results.
Phantom Domain Attack
Phantom domain attacks are kind of similar to random subdomain attacks.
In this kind of attack, the bad guys attack your DNS resolver and force it to use up resources to resolve what we call “phantom” domains, as these domains will never answer back to the queries.
The goal of this attack is to let the DNS resolver server wait for the answer for a long time, eventually leading to failure or degraded DNS performance issues.
As you see, DNS service is really important for keeping your company websites and online services working day-to-day.
If you don’t conduct a regular DNS audit, remote attackers can see this as an attractive opportunity to perform malicious attacks against your networks. Therefore, it is crucial to keep your DNS servers and traffic always monitored.