Why securing the Domain Name System remains an afterthought at many organizations.
It's been nearly one year since the massive DDoS attack on Domain Name Service (DNS) provider Dyn that disrupted major websites including Amazon, CNN, Netflix, Okta, Pinterest, Reddit, and Twitter, but DNS security remains an enigma for many businesses.
According to a new study conducted by Dimensional Research on behalf of Infoblox, some three out of 10 companies have been hit with cyberattacks on their DNS infrastructure, 93% of whom suffered downtime - 40% of them for an hour or more. But that likely just scratches the surface of the volume of attacks on DNS, experts say, because many DNS attacks are tough to detect.
"That number [of attacks] seems a little low," says DNS pioneer Paul Vixie, CEO and founder of DNS security firm FarSight Security, of the new data. Vixie, who is the principal author of the pervasive BIND DNS server software and creator of several DNS standards, notes that it's difficult for some organizations to pinpoint an attack came via their DNS.
Downtime costs, too, are likely higher than the Dimensional/Infoblox study data shows. Some 54% of organizations in the study say they lost $50,000+ to a DNS attack, while nearly a quarter lost $100,000+. "There are things you can count, but you don't know about every attack that happens or every actual cost because it isn't always" quantifiable, so the losses could be more, Vixie notes.
Prakash Nagpal, vice president at network and DNS security firm Infoblox, concedes that there likely are more DNS attacks that just aren't discovered. "I do think more companies have been" hit than that, he says of the data. The most well-known DNS threats are distributed denial-of-service attacks, of course, he says. But "DNS is not just about DDoS attacks," Nagpal says.
"In a lot of cases they [victims] don't know they were subjected to DNS attacks because they [the attacks] are so subtle … I don't think people make the connection between DNS and malware" distribution and data exfiltration, he says.
An infected machine has to "call home" at some point, he says, and one of the most common types of DNS attacks is where attackers use the DNS to siphon data from the victim organization. The infected machine is forced to make DNS requests to the attacker's server, which in turn pulls the stolen data from that machine during those interactions. So if an executive's laptop is infected, the attackers can pull sensitive data such as financial reports, for example, via those DNS queries, he says.
"While DDoS remains a big source of downtime and a huge source of attack, where DNS is being used in data exfiltration" should also be of concern, according to Nagpal.
The Infoblox study, which queried more than 1,000 security and IT professionals worldwide, illustrated how reactive DNS security tends to be in organizations: three quarters of organizations who haven't experienced a DNS attack say antivirus monitoring is their main focus security-wise, but 70% of those who've been hit by a DNS attack rank DNS security as their number one security priority.
"DNS is a victim of its own success. How many times do you think about how your phone call gets routed? You're not supposed to; the same in the IP space," Nagpal says. There also can be a learning curve for DNS and its security implications, he says.
"DNS [security] is still not top of mind," Nagpal says.
The Oct. 21 wave of DDoS attacks on Dyn – courtesy of the historic Mirai botnet of infected Internet of Things devices – used masked TCP and UDP traffic via Port 53 to overwhelm the DNS provider's infrastructure as well as recursive DNS retry traffic. It was the DNS traffic sent in the DDoS that was most perplexing when it came to detecting it.
Scott Hilton, executive vice president of product for Dyn, explained in the aftermath that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten to 20 times the normal DNS traffic levels thanks to malicious and legitimate retries.
"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in a blog post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."
More DNS Security Woes
Meanwhile, Google researchers this week disclosed they had found seven security flaws in DNS software used in Android, home routers, and IoT devices. The flaws in Dnsmasq since have been fixed, but the chance of most IoT devices getting them is slim since those devices traditionally don't get software updates. Vixie says the bugs have to do with the software, not DNS itself. "It's a cute little piece of software, tiny, and not sloppy code. But it had bugs" like most other software and these devices run it, he says.
Android devices are less at risk given built-in security features, but millions of IoT devices could be exploited, experts say. Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team, says the RCE flaw (CVE-2017-14491) specifically can be abused via malicious DNS replies, but would be difficult to exploit to build a Mirai-type botnet without the attacker jumping through various hoops. Among those: he or she would have to force the vulnerable device to issue a DNS request that the attacker would reply to, for example. Even so, he says "the possibility of widespread attack cannot be entirely ruled out."
It's another example of just how IoT devices can easily be abused. "The cheaper the device, you more you can fear it," Vixie says. "I expect more Mirais" to emerge, he adds, because locking down IoT devices is a major cost that doesn't jive economically with low-cost consumer devices.