Each and every day we are seeing new types of attacks. Throughout
the experiences in customer networks, there are multiple kinds of attacks and
we need to treat them differently.
The Volumetric or DDoS attacks:
- DNS reflection
- DNS amplification
- TCP/UDP/ICMP floods
- NXDOMAIN attack
- Phantom domain attack
- Random subdomain attack
- Domain lockup attack
DNS Based Attacks:
- DNS-based exploits
- DNS cache poisoning
- DNS tunneling
- Protocol anomalies
- Reconnaissance
- DNS hijacking
- Domain lockup attack
- Malformed DHCP requests
These are some of the major attack types that has been growing
in number in the last year. This list keeps growing as new ways and workaround
are found to exploit the vulnerabilities in the protocols.
The volumetric or DDoS attacks can be rate limited via some perimetric security devices or cloud services to slow down. But this is not a solution. The attackers always find a way to attack with big volumes. What we see is most of the DDOS attacks exceed 200Gigabytes in size.
The DNS specific exploits are very difficult for IPS, DPIs, and NGFWs to mitigate because they’re not designed for DNS protocol.
DNS reflection/DrDoS attacks
Reflection attacks are attacks that use a third party DNS server,
mostly an open resolver in the internet, to propagate a DDoS attack on the
victim’s server. A recursive server will process queries from any IP address
and return responses. An attacker spoofs the DNS queries he sends to the
recursive server by including the victim’s IP address as the source IP in the
queries. So when the recursive name server receives the requests, it sends all
the responses to the victim’s IP address.
DrDoS or Distributed Reflection Denial of Service uses multiple
such open resolvers, thereby creating a Denial of Service (DoS).
DNS amplification
DNS amplification is an attack where a large number of
specially crafted DNS queries are sent to the victim server. These result in a
very large response that can reach up to 70 times the size of the request.
Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a
small volume of outbound traffic to cause the DNS server to generate a much
larger volume. The the amplification of outbound responses congests the DNS
server’s outbound bandwidth. This results in a Denial of Service (DoS).
DNS-based exploits
These are attacks that exploit vulnerabilities in the DNS
software. This causes the DNS software to terminate abnormally, causing the
server to stop responding or crash.
TCP/UDP/ICMP floods
These are volumetric attacks with massive numbers of packets
that consume a network’s bandwidth and resources. Attackers can also use BGP,
OSPF, NTP, or ICMP (Ping of Death, Smurf) protocols to bring down servers or
network devices.
TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS).
UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable.
ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers
DNS cache poisoning
Corruption of DNS cache data. It involves inserting a false
address record for an Internet domain into the DNS query. If the DNS server
accepts the record, subsequent requests for the address of the domain are
answered with the address of a server controlled by the attacker. For as long
as the false entry is cached, incoming web requests and emails will go to the
attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use
brute force, flooding DNS responses and queries at the same time, hoping to get
a match on one of the responses and poison the cache. Cache poisoning prevents
access or helps to redirect the clients to a rogue address (hijacking),
preventing legitimate users from accessing the company’s site.
Protocol anomalies
Send malformed DNS packets, including unexpected header and
payload values, to the targeted server. Even though the packet size may be the
same, the payload contents may not. Attackers make use of software bugs in
protocol parsing and processing implementation. The victim server stops
responding by going into an infinite loop or crashes.
Reconnaissance
This attack consists of attempts to get information on the
network environment before launching a large DDoS or other type of attack.
Techniques include port scanning and finding versions and authors. These
attacks exhibit abnormal behavior patterns that, if identified, can provide
early warning. No direct effect on the server but indicates an impending
attack.
DNS tunneling
This attack involves tunneling another protocol through DNS
port 53—which is allowed if the firewall is configured to carry non-DNS
traffic—for the purposes of malware insertion and/or data exfiltration. A free
ISC-licensed tunneling application for forwarding IPv4 traffic through DNS
servers is widely used in this kind of attack.
References:
1- http://www.dts-solution.com