There’s been much talk about Doman Name System (DNS) attacks after the Syrian Electronic Army’s (SEA) cyber attack on the Web site of the New York Times, Twitter, Huffington Post and other high-profile site.
Cory von Wallenstein, chief technology officer of Dyn, an infrastructure-as-a-service (IaaS) firm specializing in DNS and E-mail management, yesterday wrote a blog detailing three ways hackers can launch similar DNS attacks. He also provided advice on how organizations can mitigate the effects of such attacks:
Cache poisoning – Attackers inject malicious DNS data into the recursive DNS servers operated by Internet Service Providers (ISPs). The damage cause by this attack is localized to specific users connecting to the compromised servers.
Workaround to this type of attack said von Wallenstein involves using good standards such as DNSSEC (domain name system security extension) to provide additional protection.
Changing the DNS data – Attackers take over one or more authoritative DNS servers for a domain. Then they change the DNS data.
The effect of such an attack would be “global.” Good security practices such as strong passwords, IP acceptable client lists (ACLs) and social engineering training will help guard against such an attack – this is the type of service Dyn provides Twitter, according to von Wallenstein.
Taking over the registration of a domain – This is the most difficult to launch of all three attacks. Attackers take over the registration of a domain and change the authoritative DNS servers.
This was the type of attack used by the Syrian Electronic Army. They gained access to the domain registration accounts operated by Melbourne IT, changed the authoritative DNS servers to ns1.syrianelectronicarmy.com and ns2.syrianarmyelectronicarmy.com.
Such an attack allows hackers to redirect email and other services provided to clients. Also, when the DNS records at a different IP address, everyone is going to know that your site has been hijacked.
Apart from following best security practices to protect authoritative servers, companies can also consider hosting authoritative servers within their organization to better protect them.
The changes created by this attack are globally cached on recursive DNS servers for a full-day. “Unless they are purge, it takes a full day or longer for the effects to be reversed, von Wallenstein said.