The challenge of ensuring effective protection against DNS attacks
Article by ExtraHop principal security engineer Khurram Waheed.
Invented in the early 1980s, the Domain Name System (DNS) protocol can be thought of as the phone directory for the internet. Matching domain names with IP addresses, it’s a fundamental part of the global network.
Unfortunately, it’s also a popular target for cybercriminals. Disposable or compromised domain names are used in spam campaigns, botnet management, host phishing, and to spread malware downloads.
The ways in which bad actors can use DNS to mount attacks are numerous. Here are some of the most popular ones.
Distributed denial of service (DDoS) attacks
Any queries from addresses that have not been authorised for use are possible indications of DDoS attacks. This is especially the case when they coincide with high DNS query volume or queries that use transmission control protocol (TCP) instead of user datagram protocol (UDP).
Name server or resolver attack
Several different actions can cause unauthorised DNS queries, including exploitations of vulnerabilities in the name server or resolver identified by the destination IP address. These queries could also indicate a device on the network that isn’t operating correctly or an unsuccessful attempt to remove malware.
Queries sent to unauthorised resolvers are strong indicators that there may be an infected host in the network. There may also be queries requesting resolution of known malicious domain names or names with typical characteristics of domain generation algorithms (DGAs) that are already associated with malware activity.
Malicious data delivery
Unusually large response messages are often seen in amplification attacks that target a small number of low-level resources. Abnormal responses in the ‘answer’ or ‘additional’ sections might be caused by attempts at cache poisoning or covert channels. Monitoring the length and composition characteristics of DNS responses can keep teams apprised of malicious intent.
DNS response modification
If there are DNS responses for an organisation’s own domains that are resolving to unfamiliar IP addresses or responses from name servers that the IT team didn’t authorise to host, external actors might have modified the responses. Those responses could also indicate a hijacking of the registration account.
Responses from IP addresses assigned to a broadband access network or other suspicious IP addresses can signify botnet control within a network. Botnets can also cause DNS traffic to appear on nonstandard ports. Botnets might also cause many NXDOMAIN responses or responses that resolve domains with a short time to live (TTL).
The challenge of effective DNS monitoring
Unfortunately, many traditional detection and prevention tools and strategies are not designed to defend against these types of attacks effectively. This is one of the reasons why DNS is such a popular attack method.
For example, DNS logging has numerous pitfalls and complications. For one, it doesn’t scale very well, and a single DNS query can generate more than ten events on a Windows host. The compute and storage requirements are simply untenable.
Relying on a firewall is also not effective. DNS traffic is generally allowed to pass through perimeter defences, such as firewalls, that typically block inbound and outbound malicious traffic. Of course, it’s possible to define a rule that denies any DNS queries from IP addresses outside an organisation’s allocated numbers space. Still, advanced DNS tunnelling can easily evade these defences.
Teams can also use intrusion detection systems (IDS) — however, they rely on signatures to detect malicious activity, meaning that these tools cannot dynamically detect unusual behaviour against standard patterns. This makes DNS-based C2 an attractive exfiltration tactic for pivoting attackers that wish to evade IDS detection.
Network traffic holds the key
Network detection and response (NDR) is uniquely suited to detect malicious DNS activity. Unlike signature-based detections, NDR uses machine learning to analyse network traffic to establish a baseline for normal DNS behaviour. It then detects anomalous behaviour that could signify an attack.
Baselines are established for things like the number of requests made, geographic locations, domain history, and entropy of the query structures. Teams can then use deviations to quickly identify post-compromise activity. The machine learning and behavioural detections used by NDR to detect indicators of compromise can also be extended to the edge for higher-fidelity DNS-based intrusion detection.
DNS is going to remain at the heart of the internet for many years. So, taking the time to put in place effective security measures can reduce the chance of successful attacks further down the line.