Tuesday, August 1, 2023

DNS Security

DNS Cache Poisoning Attack

DNS cache poisoning attack, which is also known as DNS spoofing attack.

  • If you recall from our previous lesson on caching in the name resolution section, caching is used extensively in the DNS, with the aim to save network bandwidth and reduce lookup latency.
  • The purpose of the DNS cache poisoning attack is to abuse the way DNS caches work by poisoning the resolver’s cache with the goal of achieving DNS spoofing.
  • So that name lookups originated from a client, answered by a malicious actor who redirects, then use it to a fraudulent web page.
  • That website would typically be a mirror of a legitimate site so that once the end users are redirected that they are tricked into taking a specific set of actions engineered by the attacker.
  • Some of those actions could involve presenting authentication problems, encouraging the victim to supply their credentials, or luring the user into downloading files infected with malware.
  • The impact of this attack can be substantial, since it can lead to stolen credentials, data theft, critical data encrypted with ransomware, compromised hosts that become bots as part of a botnet and much more.
  • If done correctly, not only the attacker would be able to accomplish their aims, but also the end user would remain completely unaware of the fact that they fell victim to this cyber-attack.

The DNS cache poisoning attack has four main threat vectors.

  • Man in the middle attack: Whereby the attacker places themselves between the client and the server by using tools such as OPS tool and can modify the Mac addresses in the DNS resolvers table, causing it to think that the attacker's computer belongs to the client.
    • At the same time, by utilizing the same tool, the client is also tricked into thinking that the system controlled by the attacker is the DNS server.
    • At the end of this process, the attacker can then use a tool, such as DNS spoof to direct all DNS requests to the fake sites designed by the attacker.
  • DNS server hijacking: This entails compromising the DNS resolver directly with a goal of injecting false data into its cache to achieve DNS spoofing and redirect the client to the attacker's site.
  • Client machine hijacking: Just like with DNS server hijacking, this factor involves compromising the client directly. Once the attacker has gained access to the client, they can proceed to injecting false DNS data in the host's file, which, as you remember from the local name resolution section, is consulted by the operating system before DNS kicks in by poisoning the host file. Therefore, the attacker can accomplish DNS spoofing again without even having to worry about the DNS resolver.
  • Birthday attack: This is when the attacker tries to get the transaction id of the client's DNS request, so that it can respond to it with a false response of their own, thus poisoning the cache of the DNS resolver, which from that point on will be saving the attacker's IP address.

Mitigation measures:

  • DNSSEC: The DNSSEC is short for Domain name system security extensions, and it is a means of verifying DNS data integrity and origin. DNS uses public key signature to verify and authenticate data, thus preventing forgery. The downside to using DNSSEC, is that when the DNS resolver needs to verify the signature with the authoritative DNS server, the entire process of name resolution slows down. This is the reason why a DNSSEC is still not widely adopted.
  • DNS over HTTPs (DoH) and DNS over TLS (DoT): These standards are competing specifications designed to keep DNS requests secure without sacrificing speed like DNSSEC.
    • Unlike DNSSEC, which verifies the identity of the DNS root service, an authoritative name service in communication with DNS resolvers, the DoH and DoT encrypt DNS traffic, making it harder for attackers to tamper with DNS requests and responses while in transit.
    • The most important difference between the two standards is that DoH chooses Port 443, whereas DoT uses Port 853.
  • Patching DNS software: So, if, for example, you have configured your DNS resolver with bind, make sure that you're using bind latest version and that you keep up to date with all the latest security patches.
  • Applying endpoint security: Do not forget to harden your client systems by applying appropriate endpoint security to reduce the attack surface to prevent client machine hijacking attacks.

NXDOMAIN Attack

The NXDOMAIN attack is a DNS based denial of service attack, which aims at disrupting the availability of the DNS server by flooding it with requests for invalid or non-existent records.

  • Using a tool, the attacker can generate and transmit large volumes of unique subdomains for each request sent to the DNS resolver. As a result, the DNS resolvers continued attempts to resolve the fake domains in the attacker's name lookup requests lead to high resource utilization on the DNS resolver itself, which finds it more difficult to respond to legitimate requests.
  • On top of that, since the records queried by the attacker do not exist, the DNS resolvers’ cache is being filled up with an NXdomain replies, slowing down the service response time for legitimate requests even further. When the cache gets filled up with an NXDOMAIN response, valid. cache entries get pushed out, resulting in further service degradation.

The two main symptoms of an NXDOMAIN attack.

  • The cache of the DNS server gets filled with NXDomain records, while at the same time resource utilization increases, which makes it more difficult for legitimate regime requests to be answered by the same server.

Mitigation Measures

  • Restrict DNS queries to trusted clients.
  • Block the offending source IP addresses.
  • Flush the cache on the DNS resolver.
  • Use dedicated solutions by specialized vendors.

DNS Query Flood Attack

The DNS Query flood attack is another DNS based denial of service attack, which aims at disrupting the availability of the DNS server by flooding it with name requests.

Mitigation Measures

  • Restrict DNS queries to trusted clients
  • Block the offending source IP addresses
  • Rate limiting
  • Deploy a Cache-only DNS server
  • Overprovision bandwidth on the name server

Phantom Domain Attack

But what about attacks that take the form of requests against real domains whose name servers simply do not respond?
Well, there is just such an attack that is known as phantom domain attack.

  • In a phantom domain attack, the malicious actor lays the groundwork by first configuring several domains. Then they configure the authoritative name servers of those domains to either respond to requests very slowly or not respond at all.
  • Once they have done this work, the attacker then proceeds to sending a huge number of queries to the victim DNS resolver, which must spend time and resources doing the recursion against the records of the phantom domains, whose name servers will simply not respond.
  • As such, the phantom domain attack is yet another type of DNS based denial of service attack, since its goal is to exhaust the resources of the DNS resolver and disrupt its availability for legitimate uses.

Mitigation Measures

  • Rate limiting
  • Restricting recursive queries per server and per zone
  • Using dedicated solutions by specialized vendors
    • So, for example, if F5 Big IP is designed to time out the connection and release the requests in the queue so that the resolver doesn't need to wait for responses that will never come.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)