A DNS Exploit Is A Huge Risk That Can Disrupt The Internet
A cybercriminal who takes advantage of compromised credentials rather than having to hack a DNS server, warning a DNS expert, is what we call DNS-level attacks. This is getting popular in the cyber world.
One interesting thing about attacks such as DNSpionage and Sea Turtle, Infoblox’s vice president of engineering, chief DNS architect and senior member Cricket Liu, recently told Australian CSOs “in every sophisticated attack, there are different options for creating validated credentials.” He continued “Once they had that access,” he continued, “they stood up to those servers as men in the middle and could sit there over an extended period and snoop web and mail traffic – which is kind of terrifying.”
Iranian hackers were held responsible for DNSpionage. The Cisco Talos researchers concluded “with great confidence” that the Sea Turtle campaign was led by “state-sponsored, advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems”. Independent research from FireEye raises a high-level spectrum of manipulation of a service that is very important for the functioning of the Internet.
Some of the early DNS architects felt that this could be done sooner to avoid the current situation. However, much of the architectural decisions taken decades ago, when a denial of service (DDoS) attacks distributed by a 1.2Tbs botnet taking on Dyn DNS hosting provider at the end of 2016 was always a fantasy problem.
“The original DNS had just two security features,” Liu said. “I don’t think anyone foresaw that a DDoS attack could be large enough to take out a big, first-tier hosting provider like Dyn. If you had leveled the same volume of traffic at pretty much any other organization on the Internet, it would have taken them out too.”
These technologies “were designed to make it more difficult to use somebody’s DNS servers as an amplifier in a DDoS attack against someone else,” Liu explained who has been working with DNS for about 30 years and is the author of many books on the subject.
This technology is “designed to make it harder to use someone’s DNS server as an amplifier in DDoS attacks against other people,” Liu said.
Yet end-user consumers also had a role to play in minimizing their exposure to DNS exploits, he advised, urging them to “not just use any old DNS server”
“The average user probably doesn’t think about DNS, but maybe they do need to actually take into account the possibility that the DNS server they are using has been compromised,” he said. “They should be intelligent consumers of DNS and choose according to the reliability of a provider and the security that they provide.”
IBM, for example, has created an alternative DNS service called Quad9 that proactively blocks IP addresses known to be associated with malware attacks, DDoS robots, and so on.
Cisco, CloudFlare, Google, and other vendors have positioned their respective DNS services at different levels of policy control, web categorization, speed, and so on.
“You have to identify what features you’re after from your recursive DNS service,” Liu noted, “and decide how well the provider is at actually supporting that functionality.”
More customers understand the importance of DNS than before, thanks to “a common achievement of IT professionals, and even management at a higher level, that the DNS is really a very important service,” Liu said. “I’m glad I do not need to explain to people that the DNS is important again.”
However, securing it remains a continuous effort, with continuous monitoring of an open source library that shows the potential for fixing new vulnerabilities.
Apart from the collaboration and shared interests within the security and the Internet community, infrastructure providers cannot in any way declare the DNS completely secure.
“We have to gird ourselves for the long haul,” Liu explained. “I don’t think there is any magic bullet; we’re in a constant arms race with the bad guys who dream up these attacks, and then we dream up new mechanisms for addressing those attacks.”
We cannot leave DNS; this service is essential and, without it, the Internet would not work.”