Question

A successful attack to the Internet DNS would be devastating. Explain what type of attacks can be made towards DNS. Why, to-date, such attacks in practice have not been successful? In your answer, you should consider caching in particular. Why such technique has not only proven to provide better performance, which is its original goal, but also protection against security attacks.

Answer 1

DNS cannot go down and if a DNS service goes down, network attached devices stop working. A company loses connectivity to the internet and hence cannot conduct business online. This leads to loss of revenue, customer defection and negative brand impact. Here are the top DNS attacks to look out for

1.Distributed Reflection DoS attack

•Combines Reflection and Amplification

•Uses third-party open resolvers in the Internet (unwitting accomplice)

•Attacker sends spoofed queries to the open recursive servers

•Queries specially crafted to result in a very large response

Impact:

•Causes DDoS on the victim’s server

DDoS DNS attack was not successful because we can prevent it by using some techniques ,like

Defending Against DDoS Attacks

Generally speaking, organizations should start planning for DDoS attacks in advance. It is much harder to respond after an attack is already under way. While DDoS attacks can't be prevented, steps can be taken to make it harder for an attacker to render a network unresponsive.

Architecture. To fortify resources against a DDoS attack, it is important to make the architecture as resilient as possible. Fortifying network architecture is an important step not just in DDoS network defense, but in ensuring business continuity and protection from any kind of outage or disaster situation.

The following steps will help disperse organizational assets as to avoid presenting a single rich target to an attacker:

• Locate servers in different data centers.
• Ensure that data centers are located on different networks.
• Ensure that data centers have diverse paths.
• Ensure that the data centers, or the networks that the data centers are connected to, have no notable bottlenecks or single points of failure.

For an organization that depends on servers and Internet presence, it is important to make sure that resources are geographically dispersed and not located in a single data center.

If resources are already geographically dispersed, it is important to view each data center as having more than one pipe to Internet, and ensure that not all data centers are connected to the same Internet provider.

Overall, priorities for architecture should be geographic diversity, provider diversity, and elimination of bottlenecks. While these are best practices for general business continuity and disaster recovery, they will help ensure organizational resiliency in response to a DDoS attack.

Hardware. Deploy appropriate hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Again, while bolstering resources will not prevent a DDoS attack from happening, doing so will lessen the impact of an attack.

In particular, certain types of DDoS attacks have been in existence for quite some time, and a lot of network and security hardware is capable of mitigating them. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against layer 4 attacks (also known as protocol attacks) and application-layer attacks (such as Slowloris). Specialty DDoS mitigation appliances also can protect against these attacks.

Hardware upgrades are also effective against SYN flood attacks. Most modern hardware, network firewalls, web application firewalls, and load balancers, will generally have a setting that allows a network operator to start closing out TCP connections once they reach a certain threshold.

Bandwidth. If affordable, scale up network bandwidth. For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary. That said, volumetric attacks are something of an arms race, and many organizations won't be able or willing to pay for the network bandwidth needed to handle some of the very large attacks we have recently seen. This is primarily an option for very large organizations and service providers.

In late September, the Krebs on Security blog was hit by an unusually large DDoS attack--double the size that had been previously seen by its hosting provider--according to a post on the site. A large part of the reason that the provider was able to hold off the attack for so long was because of the significant bandwidth available, which allowed the provider to absorb the attack while trying to mitigate it.

Outsourcing. There are several large providers that specialize in scaling infrastructure to respond to attacks. These providers can implement cloud scrubbing services for attack traffic to remove the majority of the problematic traffic before it ever hits a victim's network. As with many of these remedies, the best time to fortify your defenses is not in the wake of an attack, but rather beforehand to ensure a quick and effective response.

An ISP can offer DDoS mitigation services that will help organizations respond in the wake of an attack. Even ISPs that don't have a formal DDoS mitigation product should be able to specify the type assistance they would provide to their customers in the event of a DDoS attack.

On a separate front, there are providers who specifically work in DDoS mitigation. During an attack, these services reroute traffic destined for the victim's network to the mitigation center where it is scrubbed, and legitimate traffic is then forwarded to the organization. These DDoS mitigation providers have the type of scalable and dynamic load balancing available to respond to the unprecedented levels of traffic that often result from a DDoS attack.

2.Domain hijacking

This type of attack can involve changes in your DNS servers and domain registrar that can direct your traffic away from the original servers to new destinations.

Domain hijacking is often caused by a lot of factors related to exploiting a vulnerability in the domain name registrar’s system, but can also be achieved at the DNS level when attackers take control of your DNS records.

Once the bad guys have hijacked your domain name, it will probably be used to launch malicious activities such as setting up a fake page of payment systems like PayPal, Visa or bank institutions. Attackers will create an identical copy of the real website that records critical personal information such as email addresses, usernames, and passwords.

We can prevent it using some methods they are

Using the ping command

The easiest and most effective way to discover DNS hijacking is by pinging a non-existing domain using the ping utility directly from your terminal.

If the results confirm that the IP doesn’t exist, you’ll know you haven’t been DNS hijacked. In contrast, if the result is resolved there’s a big chance that you’re a victim of DNS hijacking.

Router Checker

Malware can infect your router, giving attackers access to the router administration page and allowing them to change its DNS settings to use malicious servers. When this happens, you’ll be automatically redirected to the attackers’ websites.

To check if your router has been infected, your first step is to check its DNS settings, but there’s a great online tool that can do this for you.

Router Checker from F-Secure labs is a tool that verifies if your router is connected to its DNS resolver, and that it’s using a legitimate and authorized DNS server. It’s really easy to use:

When you go to the website, simply click on the Router Checker button which will lead you to a new page, and from there just go to “Check your router.” In a few seconds, you’ll be presented with a response informing you whether you have any issues on your router and if it may have been hijacked by attackers.

WhoIsMyDNS.com

WhoIsMyDNS is another great online tool that helps you expose the actual server making DNS requests from your device on your behalf. If you don’t recognize the DNS that it displays, then you might have actually suffered a DNS hijacking attack.

How to protect yourself against DNS hijacking

There are a few basic steps we can all take to better protect ourselves from DNS hijacking or any type of DNS attack:

• Avoid clicking on any websites or links that appear suspicious, whether in your emails or on social media
• Inspect the URL and make sure that it belongs to a legitimate website
• Avoid the use of public Wi-Fi networks; they are almost always unencrypted so anyone can see your DNS traffic if they want to.

We’ve explored some ways you can protect yourself from domain hijacking, and many of them apply to DNS hijacking as well. Those tips didn’t require any special technical skill to implement, and today we’ll expand that list with a few more things you can do to keep you safe on the Internet, and to avoid DNS hijacking.

Deploying DNSSEC

Deploying DNSSEC, or Domain Name System Security Extension, is a critical step in protecting yourself against DNS hijacking. It’s one of the best technologies available that will ensure you a high level of DNS security.

DNSSEC fixes the problem of unencrypted data for DNS records by authenticating the origin of that data. This helps the DNS resolver know that the data it’s receiving is from a legitimate origin and has not been tampered with by malicious actors.

Unfortunately, deploying DNSSEC is not as simple as we wish it was. Many registrars just don’t have the necessary technology enabled in their domain name infrastructure and on the DNS server, and if they do, not all of them support all TLDs, so you may have limited options when looking for a registrar that enables DNSSEC.

We always suggest going to Cloudflare as they have an easy activation process for enabling DNSSEC. For more information, check out our full article on how to deploy DNSSEC.

Choose a more secure DNS server

Changing up your DNS server is a good way to protect yourself against DNS hijacking. By default your DNS queries will connect to your ISPs DNS servers. The services provided by your ISP don’t really keep someone safe while browsing the Internet.

Thankfully, there are plenty of choices to choose from. CloudflareDNS and OpenDNS are some of the more famous ones, but there are other great ones too. Some offer a higher level of online safety than others and many are free.

DNS flood attack

This is one of the most basic types of DNS attack. In this Distributed Denial of Service (DDoS), the attacker will hit your DNS servers.

The main goal of this kind of DNS flood is to simply overload your server so it cannot continue serving DNS requests, because the resolution of resource records is affected by all the hosted DNS zones.

This kind of attack is mitigated easily as the source often comes from one single IP. However, it can get difficult when it becomes a DDoS (Distributed Denial of Service) where hundred or thousand hosts are involved.

While a lot of requests will be instantly detected as malicious, a lot of legal requests will be made in order to confuse defense mechanisms. This makes the mitigation system job a little bit harder sometimes.

Prevent and Mitigate Attacks

DNS server attacks are a major network security risk and should be taken seriously. Businesses and IT companies both need to implement safeguards to prevent and reduce the effects of such an attack should they ever fall victim to one.

As a result of such attacks, ICANN has started emphasizing these risks with DNSSEC, a rising technology used for preventing DNS server attacks.

DNSSEC currently works by “signing” each DNS request with a certified signature to ensure authenticity. This helps servers weed out fake requests.

The only drawback to this technology is the fact that it has to be implemented at all stages of the DNS protocol to work properly – which is slowly but surely coming along.

Keeping an eye on developing technology such as DNSSEC as well as staying up to date on the latest DNS attacks is a good way to stay ahead of the curve.